In December 2024, a college student named Matthew Lane hacked into PowerSchool, the dominant student information system used by over 16,000 schools in 90 countries. He walked out with the personal data of approximately 62 million students and nearly 10 million teachers.

It was the largest breach of children's data in American history.

The stolen records included Social Security numbers, medical conditions, disciplinary records, and academic histories. PowerSchool paid Lane $2.85 million in Bitcoin for a video of him "deleting" the data. He agreed to plead guilty and was sentenced to four years in federal prison with $14 million in restitution ordered, though prosecutors acknowledged the money would likely never be collected.

The ransom did not solve the problem. Months after the payment, individual school districts began receiving extortion demands from attackers using the same stolen data. The "deletion" video, it turned out, guaranteed nothing.

PowerSchool holds roughly 23% of the K-12 student information system market. It is the backbone of enrollment, grading, attendance, and reporting for thousands of districts. When it gets breached, there is no backup. The data is gone.

Over 100 school districts have now sued PowerSchool. Fifty-five lawsuits have been consolidated into multidistrict litigation. The company set aside $28 million for family reimbursement.

The breach exposed a structural vulnerability in how school districts manage student data. Most districts don't choose their student information system. They inherit it, or the state mandates it, or it's the only vendor that integrates with their other tools. Switching is expensive and disruptive. So when the vendor gets hacked, districts have no fallback and no leverage.

Sixty-two million children had their most sensitive information stolen by a single person using a single point of entry. The company paid the ransom. The data is still out there.

‍