.png)
In a landmark case for K-12 cybersecurity, a Massachusetts college student was sentenced to four years in prison and ordered to pay nearly $14.1 million in restitution for hacking PowerSchool and extorting the company.
The hacker gained unauthorized access to PowerSchool’s network in September 2024 using an employee’s credentials, and by December, demanded a ransom of $2.85 million in Bitcoin — under threat of publicly releasing massive amounts of student and teacher data.
The breach impacted more than 60 million students and 10 million teachers, exposing names, addresses, Social Security numbers, medical details, and other highly sensitive information.
What makes this incident so critical for education leaders: despite PowerSchool’s prior audits and public focus on cybersecurity, it still suffered a catastrophic breach. Experts say the attack demonstrates that standard protective actions alone — such as firewalls and basic audits — are no longer enough.
Schools and districts using PowerSchool and other ed-tech platforms are now reassessing vendor security practices, contract terms, cyber insurance, and crisis-response readiness. Lawsuits against PowerSchool continue, putting pressure on ed-tech firms to demonstrate robust cybersecurity postures.
The sentencing serves as both a cautionary tale and a wake-up call: cyber threats in the education sector are escalating, and the consequences for failing to defend are equally severe.
.png)
.png)
.png)
.png)
.png)