62 Million Student Records Stolen Because Nobody Turned On MFA
In December 2024, a single stolen password gave an attacker access to 62 million student records through PowerSchool, the platform used by thousands of school districts across the country, including at least 15 in Minnesota.
Names. Addresses. Social Security numbers. Medical alerts. All of it exported through an admin portal that didn't require multi-factor authentication.
PowerSchool paid $2.85 million in ransom. A 19-year-old was charged. Texas sued. And 62 million families found out their children's data was in someone else's hands.
This wasn't sophisticated. It was a stolen password and an unlocked door.
It Keeps Happening
82% of K-12 schools experienced a cybersecurity incident between 2023 and 2024, according to the Center for Internet Security. Ransomware attacks on schools jumped 92% in a single year.
The pattern is the same every time:
Minneapolis Public Schools (2023)
Medusa ransomware. Refused the $1 million ransom. The attackers dumped 300,000 files online, including campus sexual misconduct cases, child abuse inquiries, student mental health records, and building security blueprints. 105,000 people weren't notified for seven months.
Granite School District in Utah (2024)
450,000 student records accessed. Social Security numbers for 15% of students. Employee payroll and bank account data exposed. $1.5 million ransom demanded.
The average remediation cost for a K-12 ransomware attack is $3.76 million, and that doesn't include the ransom payment.
Why Schools Keep Getting Hit
School districts run on small IT teams, tight budgets, and aging infrastructure. A typical rural Minnesota district has one IT person covering hundreds of devices across multiple buildings.
The security tools built for enterprises don't work here. They require dedicated analysts to monitor dashboards, investigate alerts, and respond to incidents. A 1-person IT department covering 300 students doesn't have that capacity.
So most districts end up with basic antivirus, maybe Windows Defender, and hope for the best.
Meanwhile, Minnesota's new 72-hour breach reporting law (effective December 2024) means districts now have three days to report an incident to the Bureau of Criminal Apprehension. If you don't know you've been breached, like the 14-day dwell time at Community Dental Care or the months-long gap at MPS, you're already out of compliance before you even find out.
What Would Have Made a Difference
The PowerSchool breach needed one thing: MFA on the admin portal. That's it.
The Minneapolis breach needed network segmentation so one compromised machine couldn't reach every server in the district.
Most school breaches need security that works without a dedicated analyst watching it. Something that detects threats autonomously, responds in real time, runs on-prem so student data stays on the district's network, and doesn't require a six-figure SOC to operate.
That's what we built at SYNTEX. Guardian AI runs autonomously. It detects, responds, and logs decisions without human intervention. No cloud dependency. No per-seat minimums. No data leaves the network.
But regardless of what tool a district uses, the minimum bar is this: MFA everywhere, network segmentation, and something watching the endpoints that doesn't need a human babysitting it.
If your district hasn't done at least that much, the question isn't whether you'll get hit. It's when.