PowerSchool Data Breach

1.0 Incident

Recently an event occurred at PowerSchool which is a service used by educators to hold student and teacher data. This breach caused not only current student and teacher data to be leaked but also previous users who had data stored in PowerSchool's database. This leak involved the loss of private information such as Social Security numbers, Health information, and more. School data may seem less valuable than other categories of data such as banking information, however this data is very valuable to attackers. This data is a breach of information protected by HIPPA and students are likely to have no credit history making the Social Security numbers more valuable. The data breach was followed by data being held by a ransom which has been paid by PowerSchool. However, this does not change that the data has been lost and you cannot trust the attackers who got hold of the data. Later in this report we will discuss different topics such as if paying the ransom was the correct choice, what PowerSchool and other education systems can do to prevent any further breaches, as well as the outcomes that could follow this breach.

2.0 Analysis

As of now we know that the attackers accessed PowerSchool's customer support portal with stolen username and password's (CMIT Solutions, 2025). The attackers are still at large and with this attack being resolved by a paid ransom I believe PowerSchool will likely strengthen their current system and pay off any lawsuits or further ransoms over the data the attackers supposedly deleted. However this data included information protected by FERPA and as previously mentioned HIPPA since they contained students academic as well as health information so the company should be prepared to face legal issues between schools or individual who were affected by the breach. Articles discuss that attackers accessed the system from stolen log in information, however they never mentioned how they were acquired. This leaves us wondering what fixes would work best to best mitigate similar attacks in the future. PowerSchool mentioned in their report on the attack that they responded to the attack by securing their current system (PowerSchool, 2025). The usage of third-party members to help PowerSchool secure their data could help them maintain their image as well (CMIT Solutions, 2025).

3.0 Assessment

This breach impacts all organizations who utilized PowerSchool's system to store employee and student data (TechRadar, 2025). Although the ransom was paid for the data breach and was reported to be deleted it is likely there is a backup being stored for the attackers to sell or use as another ransom later on. This could hurt PowerSchool's business schools could possibly choose to switch systems following these attacks. Not only have will they face issues keeping their users and acquiring new ones due to these attacks but they may also suffer further financial losses from lawsuits since they are in violation of not protecting data that is their responsibility. This also affects individual schools and families for example Bladen County Schools in North Carolina reported that they have experience loss of student and employee data even though PowerSchool isn't their current student information system (Bladen County Schools, 2025). This breach will leave questions for schools on how they would like to store their student's data in future although as seen previously if you ever used a system in the past your data is still being stored by your previous system.

4.0 Implications

Schools focus is on education have been known to have lackluster cybersecurity measures and I believe that we need to hold school systems to a higher standard. In the same way that teachers help form the future success of our youth it is important in today's world that we protect students' information. Data breaches have become a regular occurrence, and we must do everything in our power to prevent them so that people can grow up and know their information is still private. While people want to expand the usage of technology in education it is important there is proper training, and data is stored securely when wanting to take further steps in technology in the classroom (Bankole & Olajide, 2024). This attack not only resulted in a massive data breach but also puts a target on PowerSchool and other online education systems once the attackers know that companies are willing to pay a ransom (Cybersecurity Dive, 2025). This is the downside that comes along with organizations paying ransoms it causes further targeting and runs the risk of the data having copies that attackers could still use for their own benefit. The combination of unused student social security numbers and the knowledge that companies will pay a ransom is dangerous for students, employees, and organizations. As well as the fact that switching systems may not make the impact you desire since if you were ever a member of a system it is likely that many of your user's sensitive information is still stored on your previous system and you're almost doubling your risk by spreading your data across multiple organizations. I believe there should be laws put in place to make sure that schools follow protocols to ensure that we protect students' data.

5.0 Solutions

Although sources lack very little details on how attackers managed to access log in information there are some policies we could implement to help with misuse of user logins. Schools should implement such as two factor authentication, password storage, and make users choose complex passwords. This would help prevent similar attacks to the PowerSchool data breach. We also need to ensure schools are properly staffed and managed to protect student data. Cloud services which are being used within schools are being mismanaged by schools and relying completely on third parties to completely manage and protect important student data (Reidenberg, Russell, Kovnot, Norton, & Cloutier, 2013). These actions are risky because although third-party software is commonplace in schools the transfer of data and maintenance of these applications still need to be managed by cybersecurity professionals. Laws in place leave cybersecurity on the backburner for public education by not giving the job of maintaining cybersecurity to each school district leaving the standards vague and at a low level of protection (Alao, 2013). The maintenance of cybersecurity should be left to each school district to make sure that there is proper staffing to maintain the school's third-party databases as well as any other technology systems. Having designated cyber security teams with stricter policies and laws that must be followed by each district would greatly help the protection of each school. All in all there is much to be done by not only schools but also the systems that store their information and this needs to be addressed to help protect student and employee personal information.