Federal prosecutors recently announced a guilty plea agreement involving a 19-year-old Massachusetts student accused of orchestrating a cyberattack impacting tens of millions of students and educators. The breach compromised sensitive personal data from a major education software provider, described in court documents as a company matching the profile of PowerSchool—a platform used by schools across North America.
According to court filings, the attacker used stolen credentials to infiltrate the company’s systems, accessing personal records of over 60 million students and 10 million teachers. The stolen information included names, addresses, phone numbers, Social Security numbers, medical details, and academic records. In some cases, decades of archived student data were exfiltrated.
The breach aligns with publicly disclosed incidents at PowerSchool, which revealed in early 2025 that hackers had accessed its network months prior. The company acknowledged paying a ransom to prevent further dissemination of the data but did not disclose the amount. Prosecutors, however, cited demands for approximately $2.85 million in cryptocurrency from the attackers.
Authorities allege the defendant collaborated with an accomplice in Illinois to extort the company, threatening to expose the stolen data unless payment was made. Subsequent extortion attempts targeting school districts using PowerSchool’s software occurred months later, though the company asserted these were linked to the original breach and not a new incident.
While PowerSchool deferred comments to federal prosecutors, representatives did not dispute the ransom figure outlined in court documents. The defendant also faces charges related to a separate cyberattack on a U.S. telecommunications provider, though details remain undisclosed.
This case underscores growing concerns about vulnerabilities in educational technology systems and the risks posed by inadequate cybersecurity safeguards. Legal proceedings continue as authorities work to address the far-reaching consequences of one of the largest student data breaches in U.S. history.
