PowerSchool Data Breach: Lessons for GRC Leaders about the Newest Third-Party Risks

The PowerSchool data breach has become a defining example of third-party risk failure in education and EdTech. It’s a harsh wake-up call for ethics, Governance, Risk, and Compliance (GRC) teams.

What Caused This Data Breach?

On December 28, 2024, PowerSchool confirmed a compromised credential had been used to access its PowerSource customer portal—a system that supports school staff across 17,000 districts and serves over 55 million students worldwide. It wasn’t until May 2025, however, that the company’s response became public. PowerSchool actually made the decision to pay a ransom and were, in response, given a video of the hacker “deleting” the data. Whether the information is now entirely gone remains unclear. In short, the fact that the 300,000+ social security numbers hackers gained access were not sent elsewhere is tricky to confirm.

CrowdStrike (which suffered its own global outage in July 2024) hired to investigate the breach, found signs the credentials had been circulating on the dark web months before the attack. PowerSchool’s CISO acknowledged the portal did not have multi-factor authentication enabled at the time. Apparently, PowerSchool’s software had numerous security vulnerabilities that went unnoticed until it was too late.

The takeaway? This is an unacceptable lapse. Especially given the exposure of student contact information, Social Security numbers, and medical data. Information that’s often tough to change.

On the black market, Social Security numbers and similar unchangeable data can be sold to facilitate identity theft, fraud, and even create entirely new identities. The result? Victims can be left vulnerable for years, scrambling to repair the damage.

What is the Aftermath of this Data Breach?

Districts across the U.S., from North Carolina to California, are still receiving impact notifications. Over 30 class action lawsuits have already been filed. And while PowerSchool said the breach was “contained,” it has not disclosed how many schools were affected. It has also not communicated on whether the data was copied before deletion.

How Can an Organization Make Sure a Data Breach Doesn’t Happen to Them?

For compliance officers and risk leaders, this isn’t just a crisis to observe—it’s a signal to act. Start by asking questions now, such as:

• Do you know which vendors house your most sensitive data?

• Are their security controls audited and enforceable?

• Do your contracts define breach notification timelines, liability, and minimum safeguards?

• Do you have a communications and insurance plan if your vendor is compromised?

Final Thoughts

PowerSchool’s breach wasn’t inevitable. But the damage is done. GRC teams can’t afford to rely on assumptions. This is the moment to reassess, verify, and tighten oversight across your digital ecosystem.