In December 2024, attackers compromised PowerSchool — the SIS vendor for 18,000+ school organisations across 90 countries — exposing approximately 60 million students and 10 million teachers. 82% of US K-12 schools experienced a cyber incident between July 2023 and December 2024. The 2023 Minneapolis Public Schools attack exposed 300,000 student files including sexual-assault and psychiatric records. PULSE engineers education infrastructure in which student-record data and research-IP corpora do not exist in a form that vendor-side or perimeter compromise can extract.
The education and research threat landscape is defined by a structural mismatch between the sensitivity of the data held and the resources available to protect it. K-12 school districts hold student-record data — full name, date of birth, social security number, parent contact information, medical and Individualised Education Programme details, disciplinary records, free-and-reduced-lunch eligibility, sometimes psychiatric and protective-services notes — that is in many respects more sensitive than financial-services data, because it concerns minors who cannot defend their own credit or identity for years to come. Universities additionally hold research data, intellectual property, and grant-funded work product that has commercial and national-security value. The cybersecurity budgets of school districts and most universities are a fraction of those in finance, healthcare, or defence.
The December 2024 PowerSchool incident is the canonical recent illustration. PowerSchool — the cloud-based Student Information System provider for over 18,000 school organisations across 90 countries, supporting more than 60 million students — was compromised through its PowerSource customer-support portal between December 19 and 28, 2024, by a 19-year-old US national who used compromised credentials to access the "export data manager" customer-support tool and exfiltrate the "Students" and "Teachers" database tables. The attacker extorted PowerSchool for USD 2.85 million; PowerSchool paid the ransom and was provided with a video purporting to show data deletion. In May 2025, the same data resurfaced as separate threat actors began extorting individual school districts directly. [01]
The 2024 incident calendar is comprehensive: the September 2024 Granite School District (Utah) ransomware attack affected 450,000 current and former student records; the 2023 Minneapolis Public Schools Medusa-ransomware attack exposed 300,000 student files including sexual-assault, psychiatric-hospitalisation, and abusive-parent records when the district refused to pay the USD 1 million ransom; the October 2023 Otsego Public Schools breach exposed names, SSNs, driver's license numbers, and payment information; the December 2021 Illuminate Education breach exposed millions of student records. The American higher-education incident pattern follows similar lines, with the 2024 University of Pennsylvania breach (1+ million records claimed) and persistent targeting of research-grant-funded data by PRC-aligned APT campaigns. [02]
The international research-sector dimension is consequential. PRC-affiliated APT groups have systematically targeted Western university research output for at least two decades, with focus on dual-use technologies, emerging materials, biosciences, and AI/ML research. The targeting parallels defence-industrial-base targeting in everything except the lower defensive posture of the academic targets.
The same vectors recur: SIS-vendor and ed-tech-vendor compromise propagating to thousands of districts simultaneously; ransomware against under-resourced district IT departments; research-data espionage by nation-state-aligned actors against university targets; and identity-data targeting of student records for downstream credit fraud.
PowerSchool 2024 (60M+ students), Illuminate Education 2021, and the 2023 MOVEit campaign affecting multiple education-sector vendors all exemplify the pattern: a single breach of a widely deployed education-software vendor cascades to thousands of school districts simultaneously. The downstream districts have no architectural visibility into the vendor's security posture.
Minneapolis Public Schools (Medusa, 2023, 300,000 student files), Granite School District (2024, 450,000 records), Los Angeles Unified School District (2022, Vice Society), and dozens of other US district-level attacks demonstrate the sustained pattern. K12 SIX documented 325+ US district ransomware attacks 2016–2022; the rate has continued to rise.
PRC-affiliated APT groups have targeted Western university research output for over two decades — focus areas include dual-use technologies, materials science, biosciences, AI/ML research, quantum computing, and aerospace. The targeting pattern parallels defence-industrial-base targeting; the defensive posture is lower.
Children's personal data is highly valuable to identity-theft actors because minors do not check their own credit reports. FTC data shows 8,197 identity-theft reports for people 19 and younger in Q1 2025 alone — up 17.5% year-on-year. A leaked student SSN can be exploited for years before discovery.
The Family Educational Rights and Privacy Act (FERPA, 20 USC §1232g) governs the privacy of student education records. The Children's Online Privacy Protection Act (COPPA, 15 USC §6501–6506) governs the online collection of personal information from children under 13. State-level student-data-privacy laws apply in parallel — California's SOPIPA, Connecticut's SB 1011, and equivalents in 25+ other states impose specific obligations on ed-tech vendors and education entities.
The federal cybersecurity-resourcing regime for education has been notably uneven. The 2025 federal administration discontinued K-12-specific cybersecurity programmes through MS-ISAC and shuttered the US Department of Education's Office of Educational Technology, leaving school districts to face an escalating threat surface with reduced federal support.
The international framework is correspondingly varied. The EU GDPR applies to education entities holding personal data of EU residents, with specific child-protection provisions. The UK Data Protection Act 2018 and the Information Commissioner's Office Children's Code apply parallel obligations. Australia's Privacy Act 1988 (as amended in 2022) imposes maximum penalties of AUD 50 million per breach for serious or repeated interference with privacy.
For higher-education research specifically, US grant-funded research is subject to NSPM-33 cybersecurity expectations, NIST SP 800-171 controls for federally-funded research handling Controlled Unclassified Information, and CMMC requirements for Department of Defense research contracts. EU research subject to Horizon Europe funding incorporates equivalent cybersecurity expectations.
Education cybersecurity is the only domain where the institution holding the most sensitive data of the most vulnerable users is also the institution with the smallest cybersecurity budget.
The defining structural exposure of education-sector cybersecurity is the combination of long-tail data sensitivity (student records concerning minors with permanently non-revocable identifiers) and short-tail resource scarcity (district IT budgets that cannot fund the controls that would be standard in financial services or healthcare). Bridging the gap with conventional control overlays is economically infeasible for the vast majority of US K-12 districts. The PowerSchool incident demonstrates the consequence: a single vendor compromise produces consequence at the scale of every district that uses the vendor.
An education entity — district, university, ed-tech vendor — running PULSE substrate does not aggregate student-record data, research-data corpora, or PII into vendor-side or central-administration-side recoverable forms. Student A's record at any specific moment exists only in the form, location, and access scope necessary for the specific operational step in question — class-roster generation, transcript request, IEP-team review, parent-conference scheduling. A breach of the vendor or of the central administration produces no aggregable student-record corpus.
For research data, the same architectural commitment applies. Grant-funded research output, dual-use technology research, and PII-containing study data are anchored in forms that an adversary with full network access cannot exfiltrate as a usable corpus. The PowerSchool-class breach reproduces no exploitable consequence in a PULSE-substrate education environment. The means is the trade secret. We disclose it under executed Mutual Non-Disclosure Agreement only.
Architectural-fit assessment for K-12 district, charter-network, university-system, ed-tech-vendor, and research-institute scenarios. Quantified student-record-disclosure model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (FERPA / COPPA / state student-privacy laws / EU GDPR / UK ICO Children's Code / Australia Privacy Act / NSPM-33 / NIST SP 800-171 / CMMC for research). Reference architecture for SIS substrate, LMS substrate, research-data substrate, and parent-portal segmentation.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.