PowerSchool SIS Breach Exposed Student and Staff Data
PowerSchool disclosed a security incident affecting its Student Information System (SIS), a platform widely used by K-12 school districts to manage student records, enrollment, attendance, grades, and related administrative data. Reporting on the breach indicates attackers accessed sensitive information stored in SIS environments, with exposed data potentially including student and staff names, contact details, dates of birth, Social Security numbers, medical information, and other school records, depending on the district.
The incident raised broad concern across the education sector because a compromise of a centralized SIS provider can affect many districts at once and expose minors' data alongside employee information. Public coverage and PowerSchool's incident communications indicate the company moved to investigate and notify affected customers, while schools and families were urged to review breach notices, monitor for identity theft, and assess the long-term privacy impact of the exposure of highly sensitive educational records.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
PowerSchool posts updated incident information
PowerSchool published an updated SIS incident notice summarizing the breach, response actions, and support resources for affected customers. The update served as an official status page for the ongoing incident response.
PowerSchool offers mitigation and identity protection services
Following disclosure, PowerSchool offered affected individuals and districts credit monitoring or identity protection support and published guidance for customers. The company also continued outreach to impacted schools and families as part of its remediation efforts.
PowerSchool publicly discloses the SIS data breach
In early January 2025, PowerSchool publicly acknowledged the incident and informed customers that personal information belonging to students and educators had been accessed. Reporting described the breach as affecting numerous school districts across the United States and Canada.
PowerSchool detects the intrusion and begins response
PowerSchool identified the unauthorized activity in late December 2024, terminated the access, engaged cybersecurity responders, and began notifying affected customers and authorities. The company also stated it took steps to secure the environment and investigate the scope of the breach.
Threat actor accesses PowerSchool SIS support platform
PowerSchool said a threat actor gained unauthorized access to its PowerSource customer support portal using compromised credentials and used a maintenance tool to access customer data from Student Information System environments. The incident affected school districts using PowerSchool SIS and exposed student and staff information.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PowerSchool Breach Exposed Student and Teacher Data as Minnesota District Faced Suspected Ransomware
A breach tied to **PowerSchool**, a widely used K-12 software provider, exposed student and teacher information from school districts across the U.S., including New Jersey districts where officials said data on students and educators was stolen in a nationwide cyberattack. Reporting on the incident said the compromise affected records held by schools using the platform, raising concerns about the scale of exposure across the education sector and the security of sensitive K-12 data. Separately, **Spring Lake Park Schools** in Minnesota canceled classes and shut down technology systems after an outside actor gained unauthorized access to district networks in what officials described as a suspected ransomware incident. The disruption affected classes, child care, community education, and after-school programs, while the district worked with third-party cybersecurity experts, state law enforcement, and the **FBI** to contain the intrusion and restore operations; officials later said classes would resume and that they had no evidence at that point that personal information had been affected.
May 25, 2026
Canadian School Systems Faulted in PowerSchool Data Breach
Canadian privacy regulators released investigative reports attributing significant responsibility for the PowerSchool data breach to the school systems that used the platform. The breach, which occurred in December, exposed personal information of over 62 million students and 9 million teachers, with data in some cases dating back to 1985. The reports highlighted that the affected schools failed to include adequate privacy and security provisions in their contracts with PowerSchool, did not effectively monitor the company's security safeguards, and lacked proper breach response protocols. Additionally, the lack of multifactor authentication and insufficient limitations on remote access for PowerSchool support personnel were cited as key security lapses. The Ontario and Alberta information and privacy commissioners recommended that schools renegotiate contracts to strengthen privacy and security requirements, implement better oversight of third-party vendors, and establish more robust breach response plans. The incident underscores the importance of comprehensive vendor management and the need for educational institutions to enforce standard security practices, such as multifactor authentication, to protect sensitive student and staff data.
Mar 21, 2026
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
Mar 28, 2026