62Mstudent records breached at PowerSchool (Dec 2024)
95Mindividuals affected via MOVEit education sector victims
300Kfiles posted online after Minneapolis refused ransom
#3K-12’s global ransomware targeting rank (CISA 2024)

In February 2023, the Minneapolis school district refused to pay a $1 million ransom demand from the Medusa ransomware group. Attackers responded by posting approximately 300,000 stolen files on the dark web — including student sexual assault complaints, psychiatric hospitalization records, child abuse inquiry files, and suicide attempt documentation dating back to 1995. Over 105,000 individuals were eventually notified, seven months after the attack. The district initially described the breach to families as an “encryption event.”

This is the education sector’s cybersecurity problem in one story: a district facing a catastrophic data exposure, with no documented incident response plan for student data exfiltration, no staff trained to recognize or report the phishing that got attackers in initially, and a seven-month delay in FERPA-required notification that exposed the district to significant OCR enforcement risk.

Education is now the third most targeted sector for ransomware globally (CISA, 2024 Annual Ransomware Trends Report). The entry point in the overwhelming majority of K-12 incidents is a single staff member clicking a single email. The outcome ranges from a district-wide shutdown to the exposure of decades of student mental health records. The difference between those outcomes is almost entirely determined by whether the district trained its staff before the attack — and documented it.

The Incidents That Define the Sector’s Threat Landscape

1. Los Angeles Unified School District — $800,000 Ransom Demand, 500GB Exfiltrated (2022)

The nation’s second-largest school district was breached by the Vice Society ransomware group over Labor Day weekend 2022. The timing was deliberate: a long weekend when IT staffing is minimal, system monitoring is reduced, and a ransomware deployment won’t be discovered until staff return on Tuesday.

Attackers used credentials leaked on the dark web to access the district’s VPN — credentials that had no MFA protection. Once inside the VPN, they moved laterally through systems for days before deploying ransomware. The district refused to pay the $800,000 demand. Vice Society published 500GB of data including student SSNs, psychological records, settlement documents, and employee records. The attack disrupted operations across a district serving 540,000 students and 70,000 employees.

What made LAUSD notable beyond the size: the district’s own audit identified the failure points. No documented security awareness training for non-technical staff. No MFA on remote access systems used by thousands of employees. No incident response plan that included a student data breach notification protocol. The absence of all three was documented and became the template for what a school district needed to fix — not just after a breach, but before one was inevitable.

The failure chain in LAUSD’s case was a textbook example of the attack path that still exists in most K-12 districts today: dark web credential leak → no MFA on VPN → lateral movement for days → ransomware deployment → data exfiltration → public disclosure → regulatory exposure. Every step in that chain has a documented defensive control that stops it.

2. Minneapolis Public Schools — 300,000 Files, 105,000 Individuals Notified (2023)

The Medusa ransomware group targeted Minneapolis Public Schools in February 2023 with a $1 million ransom demand. The district refused to pay. Medusa posted roughly 300,000 stolen files to their dark web leak site.

The files exposed were particularly sensitive: student sexual assault complaints, psychiatric records, child welfare case files, and documentation of prior abuse investigations. The exposure wasn’t random — school districts are repositories for exactly this kind of sensitive family information because they are the institutions legally mandated to receive and document it. That data is now on a dark web leak site accessible to anyone who pays.

The notification timeline was the second crisis. FERPA requires districts to notify affected individuals “as expediently as possible,” and state student data privacy laws impose additional obligations. Minneapolis Public Schools took seven months to complete notification to over 105,000 individuals. That gap between breach and notification is what regulators look at — and it’s what cyber insurance carriers scrutinize when assessing whether the district exercised reasonable security practices.

The initial access in the Minneapolis case was a phishing email. Staff training on phishing recognition would have addressed the root cause. The absence of an incident response plan for data exfiltration meant the district discovered the full scope of the breach weeks after initial encryption was detected. The delayed notification meant the district was simultaneously managing a data breach, a regulatory investigation, and a media story that could have been substantially narrower with a faster, documented response.

3. Prince George’s County Public Schools — 190,000 Student Records Exposed (2023)

In October 2023, Prince George’s County Public Schools in Maryland disclosed a data breach affecting approximately 190,000 current and former students. The breach exposed names, dates of birth, school identification numbers, and in some cases Social Security numbers. The entry point was unauthorized access to a district database via a compromised employee account.

Prince George’s County sits in a data-rich environment: the district serves a large, diverse student population in a metropolitan area near significant federal and government infrastructure. Student data from the district could be valuable for identity theft markets and for targeted social engineering against district families. The district’s response included offering two years of credit monitoring to affected students — a standard breach response that reflects the reality that student SSNs, once exposed, create long-term identity theft risk that persists through adulthood.

4. PowerSchool Holdings — 62 Million Student Records, 9.5 Million Educators (December 2024)

The largest K-12 data breach in history. In December 2024, a threat actor accessed PowerSchool’s customer support portal using compromised credentials and exfiltrated data from the Student Information System used by over 18,000 school districts. Names, addresses, SSNs, medical information, grades, and academic records for approximately 62 million students and 9.5 million educators were exposed.

PowerSchool paid a reported $2.85 million ransom to prevent the data from being published. Months later, the attacker returned with fresh extortion demands. In April 2025, the DOJ charged a 19-year-old in connection with the breach.

The PowerSchool incident is categorically different from the others because the breach occurred at the vendor level, not the district level. Districts had no control over PowerSchool’s security posture. School officials didn’t know the exposure existed until notification letters arrived. The FERPA “school official” vendor agreements that most districts had on file were scrutinized post-breach — districts needed to demonstrate that PowerSchool met the criteria of a school official under FERPA, which includes acting under the district’s direct control and only using data for the purposes authorized by the district.

The lesson for districts: your FERPA vendor risk management obligations include verifying that every EdTech vendor with access to student data meets the school official standard. Most districts had template agreements on file without having actually verified the security practices of the vendors they’d signed them with.

5. MOVEit — National Student Clearinghouse (Millions), USG (800,000), UCLA (2023)

In May 2023, the Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit managed file transfer platform. The education sector was among the hardest hit.

The National Student Clearinghouse — which processes enrollment verification, degree verification, and transcript exchange for 3,600 colleges and 22,000 high schools — was breached, exposing enrollment records for potentially millions of students. The University System of Georgia disclosed 800,000 affected individuals. UCLA confirmed a separate breach. Over 2,771 organizations and 95 million individuals were ultimately affected globally.

For schools that used third-party vendors whose data processing passed through MOVEit, the incident was structurally identical to PowerSchool: an external vendor breach that exposed student data, with no visibility or control at the district level. Districts receiving breach notification letters in late 2023 and 2024 for MOVEit-related exposure were in the uncomfortable position of notifying families of a breach they couldn’t have prevented through their own controls.

The defensive implication: third-party vendor risk management is now a direct FERPA obligation, not just a security best practice. Districts that deploy EdTech tools without verifying vendor security posture, without data processing agreements that specify breach notification timelines, and without documented vendor assessment processes are building FERPA liability into their operations.

6. FERPA Enforcement: What OCR Has Been Doing 2023–2025

The Department of Education’s Office of Information and Regulatory Affairs (OCR) has substantially increased enforcement activity in the FERPA space over the past three years, driven by the spike in education sector breaches and the resulting complaint volume from affected families.

Key enforcement patterns:

The regulatory trend line is clear: districts that cannot show documented training, documented IR plans, documented vendor assessment processes, and documented breach notification timelines are building FERPA liability with every year of inaction.

7. Ransomware-as-a-Service and the Industrialization of K-12 Attacks

The attacks on LAUSD, Minneapolis, and dozens of other school districts over the past three years are not isolated incidents by individual hackers. They are the output of an industrialized ransomware-as-a-service (RaaS) ecosystem that has specifically targeted K-12 because it works.

The RaaS model works as follows: a core ransomware development team (LockBit, ALPHV/BlackCat, Clop, Medusa, Vice Society) develops and maintains the ransomware toolkit and associated infrastructure. Independent “affiliates” — individual hackers or small groups — use the toolkit to execute attacks on specific targets. The core team takes a percentage of any ransom paid. This model has dramatically lowered the barrier to entry for attacking school districts: an affiliate with no sophisticated technical skills can purchase access to tools capable of taking down a 50,000-student district.

Why K-12 specifically:

Attack Patterns Across the Sector

Across these seven incidents — from a district-level ransomware attack to a vendor-level breach of 62 million records — the attack patterns cluster into four categories:

Initial Access: Phishing and Credential Compromise

Without exception, every documented K-12 ransomware incident in the past five years began with an initial access vector involving compromised credentials. In most cases, this was a phishing email that harvested an employee’s login credentials. In some cases, it was credentials leaked on dark web markets from prior breaches and reused without MFA protection. This is not a technical failure — it’s a training and awareness failure. Districts that have implemented phishing simulation training and documented it for FERPA compliance have significantly lower rates of credential compromise, because the simulations catch the problem before the real attack arrives.

Lateral Movement and Persistence

Once inside the network via a compromised credential, attackers in most education sector incidents spent days to weeks moving laterally before deploying ransomware. The typical pattern: compromised staff email account → probing of shared drives → access to district databases → escalation to domain admin → deployment of ransomware across the network. The failure point is network segmentation and monitoring. Districts with limited IT staff often lack the monitoring tools to detect an attacker moving through the network over multiple days.

Data Exfiltration Before Encryption

Modern ransomware operators follow a two-step process: first exfiltrate sensitive data (student records, employee files, financial documents), then encrypt the systems. The encryption is the leverage for ransom. The exfiltrated data is a secondary leverage mechanism — if the district refuses to pay for decryption, attackers threaten to publish the stolen data. For districts, this means the breach damage extends beyond operational disruption. Student mental health records, special education documentation, disciplinary records, and family financial information are now on dark web leak sites regardless of whether the ransom is paid. The data exposure is permanent; the operational disruption may be temporary.

Vendor Supply Chain Attacks

The PowerSchool and MOVEit incidents represent a new category of education sector breach: vendor-level supply chain attacks. Districts that had no direct vulnerability and no ability to detect the breach were still responsible for notifying affected individuals when student data was exposed through their vendors. Districts that had documented vendor risk assessment processes, signed data processing agreements with breach notification clauses, and conducted periodic vendor security reviews were in a materially better position to respond. Districts that had simply clicked through vendor terms-of-service were starting from scratch at the moment of maximum stress.

Compliance Requirements: FERPA, CIPA, SOPIPA, and StateRAMP

FERPA (Family Educational Rights and Privacy Act)

FERPA requires all school districts receiving federal education funding to protect student education records from unauthorized disclosure. The law applies to any employee, contractor, or vendor with access to student records — and its definition of “unauthorized disclosure” includes disclosures caused by staff falling for phishing emails or by EdTech vendor breaches. OCR has consistently held that documented security awareness training for all staff with access to student records is evidence of reasonable administrative safeguards. Districts that cannot produce training records are in a materially weaker regulatory position when OCR investigates a breach.

CIPA (Children’s Internet Protection Act)

Schools receiving E-rate funding must maintain an “internet safety policy” that includes an “educational initiative” addressing unauthorized access, safety of minors, and inappropriate content. While CIPA’s educational initiative requirement is flexible in form, the most defensible and effective implementation is a structured cybersecurity awareness training program. CIPA compliance and FERPA training documentation can be satisfied by the same documented program.

SOPIPA and State Student Data Privacy Laws

California’s SOPIPA (Shine the Light Law) and New York’s Education Law §-2-d impose contractual obligations on EdTech vendors and require schools to vet vendors before student data is shared. Districts that deployed tools without proper data processing agreements bear direct liability under these laws. SOPIPA requires vendors to provide reasonable data security and to notify districts of breaches; districts must ensure those clauses are in their agreements.

StateRAMP (for State Education Agencies)

StateRAMP is increasingly required for EdTech vendors serving state-funded schools, similar to FedRAMP for federal agencies. If your district uses StateRAMP-authorized vendors, your procurement process should include security questionnaire review and documented vendor assessment. The Executive training tier covers vendor risk assessment for technology directors and procurement staff.

Defensive Controls That Would Have Changed the Outcomes

Control Stops Implementation
Phishing simulation training with documented results LAUSD, Minneapolis, Prince George’s County initial access Monthly simulated phishing campaigns; documented click rates and remediation; FERPA training record for all staff with student record access
MFA on all remote access (VPN, M365, SIS portals) LAUSD, PowerSchool credential compromise MFA on VPN and all district portals; SIS and student information system access should require phishing-resistant MFA (FIDO2/passkey)
Documented FERPA incident response plan with student data breach notification protocol Minneapolis 7-month delay; OCR enforcement exposure Written IR plan covering ransomware triage, data exfiltration assessment, FERPA notification timelines, board communications, cyber insurance activation
EdTech vendor security questionnaire and data processing agreements PowerSchool, MOVEit supply chain exposure Documented vendor security questionnaire (StateRAMP template or equivalent); data processing agreements with breach notification clauses and school official certification
Network segmentation between staff workstations and administrative/SIS systems Lateral movement post-credential compromise Segment SIS and financial systems from staff email/workstation traffic; limit domain admin access to essential personnel only
Immutable offline backups with monthly restore testing Ransomware operational impact 3-2-1 backup: 3 copies, 2 different media types, 1 immutable/offline; test full restore monthly; verify SIS and student records are included in backup scope
Board-level cybersecurity briefings with documented attendance Executive oversight gap; delayed decision-making during incidents Quarterly briefings for school boards on threat landscape, incident response plan status, and training documentation; FERPA board governance documentation

What Districts Should Do This Week

  1. Audit your VPN and SIS portal MFA status. If your VPN or student information system login is protected only by a password, add MFA this week. This single control would have prevented the LAUSD breach. PowerSchool’s compromised customer support portal had no MFA requirement — a vendor security questionnaire would have flagged this.
  2. Download the Incident Response Plan Template (free at /free-ir-plan). It includes a FERPA student data breach notification template, board communication script, and cyber insurance first-24-hours checklist adapted for K-12. Walk through it with your IT director and superintendent this month.
  3. Audit your EdTech vendor agreements. Pull every vendor that has access to student data and verify: does the agreement specify breach notification timelines? Does the vendor certify it meets the FERPA school official standard? Have you conducted a documented security questionnaire review? The absence of these agreements is a FERPA liability that exists whether or not a breach has occurred.
  4. Run a phishing simulation with your staff this week. Send a simulated phishing email to all staff and track the click rate. Document the results as evidence of your training program. If more than 15% of staff click the simulated phishing email, your real-world exposure is significant. Book a training session to run a phishing resistance drill with your team.
  5. Book a district leadership session. The SecurEveryone K-12 training program covers ransomware tabletop exercises for IT directors, FERPA documentation for administrators, and staff-wide phishing awareness training with documented completion records for OCR compliance. Sessions are available starting at $150 for individual staff and $900 flat for unlimited users district-wide.

Education sector attacks aren’t going to decrease in frequency. The RaaS industrial complex has mapped the K-12 attack surface and found it profitable: distributed IT environments, limited security staff, valuable student data, and operational pressure that incentivizes ransom payment. The only structural defense is the one that’s always been available and consistently underfunded: trained staff who don’t click the first email.

The cases in this article — LAUSD, Minneapolis, Prince George’s County, PowerSchool, MOVEit — all share a common thread: the breach succeeded because the defensive controls that would have stopped it were either absent or undocumented. Documentation matters not because compliance paperwork is valuable, but because documented controls are the evidence that OCR and cyber insurance carriers use to assess whether a district exercised reasonable security practices. Undocumented training doesn’t count. Unwritten incident response plans don’t protect you. The investment in training and documentation now is the only thing that changes the outcome when the next phishing email lands in your staff’s inbox.

Sources: LAUSD breach reporting per LA Times, Krebs on Security. Minneapolis Public Schools breach reporting per KSTP, Star Tribune. PowerSchool breach per DOJ press release, Krebs on Security. MOVEit/Clop advisory per CISA. FBI IC3 2023 and 2024 Annual Reports. MS-ISAC K-12 Threat Brief. IBM/Ponemon Cost of a Data Breach 2025. Verizon DBIR 2024. StateRAMP vendor authorization framework.

Related Resources

The education sector’s cybersecurity problem isn’t a technology gap — it’s a training and documentation gap. See the SecurEveryone K-12 program and book a session that creates the FERPA training records and incident response plans your district needs.