What to Do After the PowerSchool Data Breach

In one of the largest education data breaches in history, PowerSchool — the software platform used by over 16,000 school districts worldwide — confirmed that hackers accessed the personal information of approximately 62 million students and 9.5 million educators. If your child's school uses PowerSchool, here's exactly what happened and what you need to do right now to protect your family.

What Happened in the PowerSchool Breach

On December 28, 2024, PowerSchool discovered that an unauthorized individual had gained access to their Student Information System (SIS) through a compromised employee password on the PowerSource customer support portal. The breach began on December 19 and went undetected for nine days due to a lack of multifactor authentication on the portal.

The attacker — later identified as 19-year-old Matthew D. Lane — exfiltrated massive amounts of sensitive data from school databases across the globe. Lane was sentenced to four years in federal prison in October 2025 and ordered to pay approximately $14.1 million in restitution.

PowerSchool paid approximately $2.85 million in Bitcoin to the attacker in an effort to prevent the stolen data from being released. However, despite this payment, extortion emails containing samples of stolen data were sent to schools in Canada and North Carolina as recently as May 2025.

What Information Was Exposed

The breach potentially exposed a wide range of personal information, including:

• Full names of students, parents, and educators
• Contact information including home addresses, phone numbers, and email addresses
• Dates of birth
• Social Security Numbers
• Limited medical alert information (such as allergies or health conditions recorded in the school system)
• Academic records and enrollment information

Steps to Protect Yourself and Your Family

1. Confirm Whether You Were Affected

Contact your child's school district directly and ask whether they used PowerSchool's Student Information System. PowerSchool has been working with affected districts to send individual breach notification letters. Check your mail and email for official notifications.

2. Enroll in Free Credit Monitoring

PowerSchool is offering two years of free identity protection and credit monitoring services to affected individuals. Look for enrollment details in your breach notification letter. Even if you haven't received a letter yet, contact your school district to ask about these services.

3. Freeze Your Child's Credit

One of the most effective steps you can take is placing a credit freeze on your child's credit file at all three major bureaus — Equifax, Experian, and TransUnion. Children shouldn't have credit files, so if one exists, it may be a sign of fraud. A credit freeze is free and prevents anyone from opening new accounts in your child's name.

4. Monitor for Signs of Identity Theft

Watch for these red flags that someone may be using your child's identity:

• Mail addressed to your child from financial institutions, collection agencies, or the IRS
• Pre-approved credit card offers in your child's name
• Bills for services you didn't authorize
• A notice that your child's Social Security Number is already associated with a tax return

5. Place a Fraud Alert

If you suspect your information or your child's information has been misused, place a fraud alert with one of the three credit bureaus (they're required to notify the other two). An initial fraud alert lasts one year, while an extended fraud alert lasts seven years for confirmed identity theft victims.

6. Remove Your Family's Information From Data Brokers

The stolen data may already be circulating on data broker sites, making your family even more vulnerable to scams and identity theft. A data removal service like PrivacyOn can systematically remove your personal information from 100+ data broker sites, reducing your family's exposure. PrivacyOn's family plan covers up to 5 family members, making it ideal for protecting your entire household after a breach like this.

7. Watch for Phishing and Follow-Up Scams

Breaches like this often lead to secondary scams. Be wary of:

• Emails or calls claiming to be from PowerSchool or your school district asking for additional personal information
• Fake "identity protection" services trying to collect your data
• Phishing emails that reference the breach to create urgency

Long-Term Protection Strategies

The PowerSchool breach is a stark reminder that your family's data is only as secure as the systems that store it. Here are steps to stay protected going forward:

• Enable dark web monitoring: Services like PrivacyOn include 24/7 dark web monitoring that alerts you if your family's personal information appears in underground marketplaces or forums.
• Use unique passwords: Ensure all family members use unique, strong passwords for every online account, especially school-related platforms.
• Enable two-factor authentication: Add an extra layer of security to all accounts that support it.
• Review school privacy policies: Before sharing personal information with any educational platform, ask what data they collect and how they protect it.

Your Rights After a Data Breach

Depending on your state, you may have additional rights after a data breach. Several states have filed lawsuits against PowerSchool, including Texas, where Attorney General Ken Paxton sued the company for compromising the personal information of over 880,000 Texas schoolchildren and teachers. Check with your state's Attorney General office to learn about any class action lawsuits or additional protections available to you.

The PowerSchool breach underscores the importance of proactive privacy protection. Don't wait for the next breach to take action — consider enrolling in a comprehensive privacy protection service like PrivacyOn to continuously monitor and remove your family's personal information from data brokers, people-search sites, and the dark web.