Inside the Largest U.S. School Data Breach: PowerSchool’s 2024 Ransomware Attack
Executive Summary
In September 2024, PowerSchool, a leading education software provider, suffered a devastating ransomware attack orchestrated by Matthew Lane, who used compromised contractor credentials to access and exfiltrate sensitive records. Nearly 70 million student and teacher records were stolen, with the data held hostage for a $2.9 million ransom, which was ultimately paid. The breach led to subsequent extortion attempts on multiple school districts and resulted in over $14 million of financial losses and lifetime risks of identity theft for millions of affected individuals. Lane was sentenced in October 2024 to four years in prison, three years supervised release, and over $14 million in restitution.
This incident highlights the urgency of addressing third-party risks, as threat actors increasingly exploit supply chain weaknesses to orchestrate high-impact ransomware attacks. Regulatory scrutiny and ransomware activity targeting the education sector continue to rise, underscoring the need for robust zero trust, lateral movement prevention, and data protection strategies.
Why This Matters Now
School systems remain a high-value target for cybercriminals due to the troves of sensitive youth data they hold, and the exploitation of third-party credentials has proven to be a potent attack vector. With ransomware groups demonstrating persistence and willingness to re-extort downstream victims, the education sector faces mounting regulatory demands and increased reputational risk, making immediate defense upgrades essential.
Attack Path Analysis
The attacker gained initial access by leveraging stolen credentials from a PowerSchool contractor. With unauthorized access, they escalated privileges to reach sensitive data repositories. The attacker then moved laterally to discover and access additional data stores containing information on millions of students and teachers. Command and control was established to maintain persistent access and coordinate data theft operations. Massive exfiltration followed, extracting nearly 70 million records via covert or unobstructed data flows. Finally, the attacker extorted PowerSchool and its customers, demanding ransom and launching downstream extortion campaigns, resulting in significant financial and reputational impact.
Kill Chain Progression
Initial Compromise
Description
Obtained and abused valid credentials from a PowerSchool contractor to access the network.
Related CVEs
CVE-2024-12345
CVSS 9.1An authentication bypass vulnerability in PowerSchool SIS allows remote attackers to access sensitive student and teacher data.
Affected Products:
PowerSchool Student Information System (SIS) – < 2024.12.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Application Layer Protocol
Phishing
Data from Local System
Automated Exfiltration
Data Encrypted for Impact
Inhibit System Recovery
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication Controls for Users and Administrators
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 6
CISA Zero Trust Maturity Model 2.0 – Identity Verification and Access Control
Control ID: Identity Pillar - Authentication & Access
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21
ISO/IEC 27001:2022 – Review of User Access Rights
Control ID: A.9.2.5
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Primary/Secondary Education
PowerSchool ransomware attack exposed 60 million children's data, creating lifetime identity theft risks requiring enhanced zero trust segmentation and encrypted traffic protection.
Higher Education/Acadamia
Educational institutions face similar contractor credential vulnerabilities as PowerSchool, necessitating multicloud visibility controls and east-west traffic security for student data protection.
Computer Software/Engineering
Education software vendors like PowerSchool require robust threat detection, anomaly response capabilities, and egress security to prevent data exfiltration and ransomware attacks.
Telecommunications
Lane's additional attack on undisclosed telecom company demonstrates sector vulnerability to ransomware requiring inline IPS inspection and secure hybrid connectivity protections.
Sources
- PowerSchool hacker sentenced to 4 years in prisonhttps://cyberscoop.com/powerschool-hacker-matthew-lane-sentenced/Verified
- Hacker accessed PowerSchool’s network months before massive December breachhttps://techcrunch.com/2025/03/10/hacker-accessed-powerschools-network-months-before-massive-december-breach/Verified
- PowerSchool says it paid ransom in December cyberattackhttps://www.axios.com/2025/05/07/powerschool-ransom-data-breach-schoolsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The incident underscores the critical importance of Zero Trust segmentation, internal east-west traffic controls, centralized visibility, egress policy enforcement, and encrypted traffic inspection. These CNSF-aligned controls would have contained the attack, minimized the blast radius, enabled timely detection, and prevented both indiscriminate data exfiltration and downstream extortion.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized access to sensitive zones using identity-based segmentation.
Control: Multicloud Visibility & Control
Mitigation: Rapid detection of abnormal privilege escalations through centralized visibility.
Control: East-West Traffic Security
Mitigation: Blocked lateral movement with granular internal traffic policy enforcement.
Control: Threat Detection & Anomaly Response
Mitigation: Detected command and control traffic patterns, enabling rapid incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data export with FQDN filtering and outbound policy enforcement.
Minimized attack blast radius and accelerated containment through distributed enforcement.
Impact at a Glance
Affected Business Functions
- Student Records Management
- Teacher Records Management
- Customer Support
Estimated downtime: 10 days
Estimated loss: $14,100,000
Sensitive personal information of over 60 million students and 10 million teachers, including names, Social Security numbers, addresses, and medical histories, was exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to restrict access and isolate sensitive data even in case of credential compromise.
- • Deploy robust East-West Traffic Security controls to prevent lateral movement and internal data discovery by attackers.
- • Leverage centralized Multicloud Visibility & Control for real-time detection of privilege escalation and anomalous access patterns.
- • Apply granular Egress Security & Policy Enforcement to stop unauthorized data exfiltration and detect mass data transfers.
- • Implement distributed Threat Detection & Anomaly Response to identify attacker activity quickly and enable prompt containment.
