PowerSchool Breach Exposed Student and Teacher Data as Minnesota District Faced Suspected Ransomware
A breach tied to PowerSchool, a widely used K-12 software provider, exposed student and teacher information from school districts across the U.S., including New Jersey districts where officials said data on students and educators was stolen in a nationwide cyberattack. Reporting on the incident said the compromise affected records held by schools using the platform, raising concerns about the scale of exposure across the education sector and the security of sensitive K-12 data.
Separately, Spring Lake Park Schools in Minnesota canceled classes and shut down technology systems after an outside actor gained unauthorized access to district networks in what officials described as a suspected ransomware incident. The disruption affected classes, child care, community education, and after-school programs, while the district worked with third-party cybersecurity experts, state law enforcement, and the FBI to contain the intrusion and restore operations; officials later said classes would resume and that they had no evidence at that point that personal information had been affected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Spring Lake Park says athletics resume and classes to reopen
As restoration progressed, Spring Lake Park said high school athletics and activities would resume Tuesday and classes would reopen Wednesday. The district also said state law enforcement and the FBI were involved in the investigation and that it had no evidence personal information was affected at that time.
Spring Lake Park closes schools and programs after cyber incident
The district canceled classes for Monday and Tuesday following the intrusion, and the outage also disrupted child care, community education, and after-school activities on Monday. Officials said some systems required to operate schools safely were unavailable.
Unauthorized access detected in Spring Lake Park school systems
Spring Lake Park Schools said its technology team confirmed on Sunday that an outside actor had gained access to some district systems. Staff shut down systems to prevent further access and contain the incident.
New Jersey reports student and teacher data stolen in nationwide attack
New Jersey officials disclosed that data about students and teachers was stolen as part of the broader nationwide cyberattack tied to school systems. This marked a state-level impact disclosure connected to the larger breach.
PowerSchool discloses breach affecting K-12 student and teacher data
PowerSchool disclosed a cyberattack that exposed student and teacher information from K-12 school districts. The incident was reported as affecting districts nationwide.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Spring Lake Park schools to reopen Wednesday after cybersecurity incident - CBS Minnesota
cbsnews.com
Open sourceSpring Lake Park Schools closed Monday, Tuesday due to suspected ransomware incident - KSTP.com 5 Eyewitness News
kstp.com
Open sourceData about N.J. students, teachers stolen in nationwide cyberattack - nj.com
nj.com
Open sourcePowerSchool hack exposes student, teacher data from K-12 districts
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PowerSchool SIS Breach Exposed Student and Staff Data
PowerSchool disclosed a security incident affecting its Student Information System (SIS), a platform widely used by K-12 school districts to manage student records, enrollment, attendance, grades, and related administrative data. Reporting on the breach indicates attackers accessed sensitive information stored in SIS environments, with exposed data potentially including student and staff names, contact details, dates of birth, Social Security numbers, medical information, and other school records, depending on the district. The incident raised broad concern across the education sector because a compromise of a centralized SIS provider can affect many districts at once and expose minors' data alongside employee information. Public coverage and PowerSchool's incident communications indicate the company moved to investigate and notify affected customers, while schools and families were urged to review breach notices, monitor for identity theft, and assess the long-term privacy impact of the exposure of highly sensitive educational records.
May 2, 2026
Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s **Canvas** platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to **ShinyHunters** appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored. Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its **Free for Teacher** environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that **PowerSchool** paid a ransom following claims that data on **62 million students** had been stolen.
Jun 3, 2026
PowerSchool Breach Hacker Sentenced After Extorting Student and Teacher Data
Matthew Lane, a Massachusetts student, pleaded guilty and was later sentenced in a federal case tied to the breach of education software provider **PowerSchool**, an intrusion U.S. authorities described as the largest cyberattack in U.S. education history. Prosecutors said Lane used stolen contractor credentials and vulnerability-scanning tools to access the company’s network, then threatened to publish sensitive records unless he was paid about **$2.85 million in Bitcoin**. The compromised data reportedly covered roughly **60 million students** and **10 million teachers**, including names, phone numbers, addresses, Social Security numbers and, in some cases, medical information. Authorities said Lane also extorted a separate telecommunications company for **$200,000** by threatening to release customer data. The case triggered ransom payments and White House Situation Room briefings, and investigators later found that some stolen PowerSchool data was allegedly retained by another actor and reused in follow-on extortion attempts against school districts. Lane received a **four-year federal prison sentence** and was ordered to pay more than **$14 million in restitution**, while U.S. investigators continue pursuing alleged co-conspirators.
May 25, 2026