Imagine you’re a teenager juggling algebra, Instagram, and the existential dread of college applications. Fast forward a few years, and you’re trying to take out a student loan only to find out your identity’s been stolen. Some cybercriminal has been wrecking your credit since middle school, and there’s not a thing you can do about it.

That nightmare scenario just became a reality for millions of students and educators across the U.S. and Canada, thanks to PowerSchool, the leading cloud-based K-12 education software provider in North America. In December 2024, the company got wrecked by hackers, who slipped in through a customer support portal and made off with an absurd amount of data, everything from Social Security numbers and addresses to students’ mental health records and special education status. That’s right, someone out there now has access to a 10-year-old’s ADHD diagnosis, disciplinary notes, and maybe even their parents’ custody battle details.

But the damage doesn’t stop with the students. Teachers got hit hard, too. Many of them — most likely members of teachers’ unions — now face a nightmare of financial fraud, identity theft, and exposure of their most private information. Social Security numbers, home addresses, tax records, and even potentially their employment and disciplinary records were all up for grabs. And just like the kids, they may not even know about it yet.

The worst part? PowerSchool could have stopped it.

What Went Wrong?

Let’s start with the obvious: no multi-factor authentication (MFA). A company handling data for 17,000-plus school districts didn’t bother implementing the same security measures that protect your Gmail account. All it took was a leaked password — something a third-grader could phish from a careless school admin — to unlock the vault. Then there’s the insane amount of sensitive data PowerSchool was hoarding. Why were they storing decades-old student records, including behavioral reports and medical conditions? This wasn’t just a spreadsheet of GPAs; this was the deepest, most personal intel on millions of kids and teachers. And when cybercriminals got in, they took it all.

Who Did This and Why?

While PowerSchool hasn’t named names, cyber experts suspect a well-known ransomware gang stole the data. And here’s the kicker: PowerSchool paid the ransom the gang demanded in exchange for deleting the data. That’s right, not only could they have prevented this whole thing from happening by locking down their systems, they cut a deal with criminals, hoping the bad guys would just delete the data and walk away. Spoiler alert: they probably didn’t.

The Fallout: What Happens Now?

Students, parents, and teachers are now sitting ducks for identity theft, doxing, and scams. A fifth-grader’s Social Security number could be floating around the dark web right now, sold to some fraudster looking to open credit cards or take out a car loan. A teacher’s entire financial identity could be hijacked — credit trashed, tax returns stolen, even mortgages taken out in their name. For educators, this breach isn’t just about personal security; it’s about job security, retirement savings, and professional reputations. If disciplinary records or evaluations were leaked, how would that impact careers? What about teachers who filed harassment complaints or had legal disputes? Suddenly, deeply private professional matters are potentially out in the open. Lawsuits? Oh, they’re coming. Parents and teachers are already lawyering up, accusing PowerSchool of gross negligence. Cybersecurity watchdogs are dragging the company through the mud, and schools are scrambling to reassure panicked parents and educators that their futures haven’t just been sold to the highest bidder.

Will PowerSchool Learn its Lesson?

After putting millions at risk, PowerSchool is now playing PR cleanup, offering two years of free credit monitoring (basically a bandage on a bullet wound). But this doesn’t have to be the norm. The situation is not hopeless. This entire nightmare scenario could have been avoided by following basic cybersecurity best practices. With the help of organizations like SecureUnions.com, many labor unions are stepping up to protect their members by implementing proactive security measures, ensuring that their data — and their futures — remain safe. The fight for cybersecurity is just beginning, and the stakes couldn’t be higher. Make sure your organization is not part of the problem!