A teenage hacker named Matthew Lane used stolen credentials to breach PowerSchool, the student information system used by school districts across the United States, exposing the personal data of more than 880,000 Texas students and teachers and impacting Dallas Independent School District alongside other districts nationwide. The breach has triggered a lawsuit from Texas Attorney General Ken Paxton, who accuses PowerSchool of failing to adequately protect sensitive student and teacher data.
What Happened
Federal investigators say Matthew Lane, a teenager who described his hacking activity as an addiction comparable to drug use, gained unauthorized access to PowerSchool's database using stolen credentials. Lane then assisted in moving the exfiltrated data overseas. PowerSchool is one of the largest student information platforms in the country, storing grades, medical information, personal data, and Social Security numbers for millions of students and educators. Dallas ISD confirmed it was notified by PowerSchool that private records belonging to its community were caught in the breach, alongside other districts across multiple states.
What Was Taken
The compromised data set is unusually sensitive because it concerns minors. Exposed records include:
- Student and teacher names and contact information
- Social Security numbers
- Grades and academic records
- Medical and health information
- Other personally identifying information stored within PowerSchool's student information system
Texas alone reported 880,000 affected residents, and the total nationwide impact spans numerous additional districts that rely on PowerSchool.
Why It Matters
Breaches involving minors' personal identifying information carry consequences that can last decades. Children's identities are prized targets for fraudsters because the theft often goes undetected until the victim reaches adulthood and applies for credit, financial aid, or employment. The PowerSchool incident also illustrates the systemic risk concentrated in education sector SaaS platforms: a single credential compromise at a vendor cascades into hundreds of downstream districts. The Texas Attorney General's lawsuit signals that regulators are increasingly willing to hold vendors, not just school districts, accountable for safeguarding student data.
The Attack Technique
According to federal investigators, the intrusion began with stolen credentials rather than a software exploit or zero-day vulnerability. Lane used those credentials to authenticate into PowerSchool's environment and access the underlying database. Once inside, the actor exfiltrated records and helped route the stolen data to overseas infrastructure. The case underscores how identity, not perimeter, remains the central control plane for SaaS platforms holding regulated data, and how a single set of valid credentials can unlock an entire multi-tenant ecosystem.
What Organizations Should Do
- Enforce phishing-resistant multi-factor authentication on all administrative and support accounts for PowerSchool and any third-party education platforms.
- Audit existing PowerSchool access, rotate credentials, and review session and login logs for anomalies dating back to the breach window.
- Apply least-privilege principles to vendor and contractor accounts, and disable shared or generic logins that enable credential reuse.
- Implement data loss prevention and egress monitoring to detect bulk export of student records to unfamiliar destinations.
- Notify and provide identity protection services to affected students, parents, and staff, with extended monitoring given the long tail of risk for minors.
- Review vendor contracts for security obligations, breach notification timelines, and audit rights to ensure regulatory exposure is appropriately allocated.