We’re barely a couple of months into 2025, but this year has already seen several data breaches affecting the personal information of millions of individuals, including everything from student records to phone data and sensitive health information.
Last year, 2024, saw more than one billion records stolen. If the first two months of this year are anything to go by, 2025 looks set to be an unprecedented year for data breaches.
PowerSchool breach likely affects tens of millions of students and teachers
The breach of ed-tech giant PowerSchool is one of the biggest breaches of student data in recent history. While we still don’t know exactly how many records were stolen (PowerSchool has repeatedly refused to disclose this figure), reports claim that the breach affected more than 62 million students and 9.5 million teachers in the United States.
PowerSchool, which provides K-12 software to more than 18,000 schools across North America, first disclosed the data breach in January. At the time, PowerSchool said that unnamed hackers used a single compromised credential to access its customer support portal, granting access to the wealth of data in its school information system, PowerSchool SIS, which schools use to manage student records.
The hackers accessed sensitive personal information, including students’ grades, medical information, and Social Security numbers. Multiple schools affected by the breach have told TechCrunch that other highly sensitive information, including highly sensitive student data, including information about restraining orders, was accessed.
PowerSchool hasn’t confirmed or denied the reported 62 million figure, but various filings have confirmed that millions of people were affected by the breach. A filing with the Texas attorney general revealed that nearly 800,000 state residents had their data stolen, while the Rochester City School District confirmed that 134,000 students are affected.
PowerSchool recently confirmed to TechCrunch that around 16,000 people in the United Kingdom also had data stolen in the breach.
Musk’s DOGE access represents a huge compromise of U.S. federal government data
The first few weeks of the Trump administration saw a different kind of breach — and one that will likely go down in history as the largest ever compromise of U.S. government data.
Individuals working for Elon Musk, who is behind the Trump administration’s so-called Department of Government Efficiency, or DOGE, took control of top federal departments and datasets to access huge troves of sensitive federal data. DOGE — made up of mostly private-sector employees from Musk’s own businesses — seized wide access to the U.S. government’s critical payment systems containing the personal information of millions of Americans and responsible for disbursing trillions of dollars every year.
Since then, a coalition of more than a dozen U.S. states have filed a lawsuit to block Musk’s team of cost-cutters from accessing government systems that contain the personal data of Americans. More than 100 current and former federal officials have also sued Musk’s DOGE agency for accessing the sensitive personnel records of Americans without proper authorization.
Community Health Center, a Connecticut-based nonprofit healthcare provider, said in January that a hacker had accessed the sensitive data of more than a million patients.
CHC, which provides services including school-based healthcare and substance abuse programs, said that the unnamed hacker compromised its network on January 2 to steal patients’ personal data and sensitive health information. This data includes patients’ addresses, phone numbers, diagnoses, treatment details, test results, Social Security numbers, and health insurance information.
Stalkerware apps Cocospy, Spyic, and Spyzie expose phone data of millions of people
A trio of stalkerware apps exposed the personal data of millions of people who unwittingly have them planted on their devices, a security researcher revealed to TechCrunch in February.
The three apps — Cocospy, Spyic, and Spyzie — all share the same security vulnerability that allows anyone to access the personal data, including messages, photos, and call logs, from devices that have the apps installed, typically without the device owners’ knowledge.
The easy-to-exploit bug also exposes the email addresses of the people who signed up for the stalkerware apps. That allowed a security researcher to scrape the email addresses of around 3.2 million email addresses of Cocospy, Spyic, and Spyzie customers, which was provided to breach notification site Have I Been Pwned.
U.S. employee screening service DISA confirms breach affecting over 3 million people
DISA, a Texas-based provider of employee screening services including drug and alcohol tests and background checks, confirmed in February a massive data breach that happened almost a year earlier in April 2024.
In a filing with Maine’s attorney general, DISA said the breach affected more than 3.3 million people who had undergone employee screening tests. While the company said its internal investigation “could not definitively conclude” what specific data was stolen, a separate filing in the state of Massachusetts confirms that Social Security numbers, financial information, and government-issued identity documents are among the stolen data.
DISA blamed the breach on an unidentified hacker, who had access to a portion of the company’s network for more than two months before they were noticed.
#biggest #data #breaches