The numbers should make every American parent furious. The United States poured more than $30 billion in 2024 alone into putting laptops and tablets in K-12 classrooms, continuing a multi-decade experiment that was supposed to modernize education and catapult American students to the top of global rankings. Instead, neuroscientists and learning experts now have a damning verdict: we produced the first generation in modern history to be less cognitively capable than their parents.
But the device disaster is only one front in a war being waged against American childrenâs futures. Layer on top of it a decade of disruptive, top-down curriculum overhaul courtesy of the Obama administrationâs Common Core push, and then add the catastrophic failure of the very technology platforms schools trusted to protect studentsâ most sensitive data, and you have a perfect storm of policy arrogance, corporate negligence, and systemic failure â with American children paying the price.
âNone of you asked to be sat in front of a computer for your entire K-12 schooling. That means we screwed up.â â Neuroscientist Jared Cooney Horvath, U.S. Senate testimony, 2026
The Screen Experiment That Backfired
The push to digitize American classrooms began with good intentions. In 2002, Maine became the first state to go all-in on a statewide laptop initiative, with then-Governor Angus King envisioning an internet-connected generation ready to conquer the knowledge economy. Districts across the country followed. Contracts with Apple, Google, and a constellation of edtech companies swelled. By 2024, annual spending on classroom technology exceeded $30 billion.
The results were catastrophic.
Neuroscientist Jared Cooney Horvath delivered written testimony before the U.S. Senate Committee on Commerce, Science, and Transportation earlier this year, laying out evidence that Gen Z students â raised entirely on classroom screens â are the first generation in modern history to score lower on standardized tests than the generation before them. Citing Program for International Student Assessment data from 15-year-olds across the world, Horvath documented not just declining scores but a stark statistical correlation: more screen time in school directly corresponded to worse outcomes.
Maine, the state that started it all, serves as the cautionary case study. After 15 years and hundreds of millions of dollars in Apple contracts, test scores had not improved. Then-Governor Paul LePage called the program a âmassive failure.â Nationally, literacy, numeracy, and problem-solving have all declined. And with the arrival of the iPhone in 2007 adding an always-on distraction layer on top of classroom technology, the cognitive atrophying accelerated.
The consequences extend well beyond report cards. A Stanford University study found that AI-driven automation is having âsignificant and disproportionate impact on entry-level workers in the U.S. labor marketâ â precisely the jobs a less cognitively capable generation would be competing for. Horvath went further, warning that a diminished populationâs ability to solve existential challenges â climate, disease, geopolitical conflict â is itself at risk. We didnât just make kids worse at tests. We may have compromised civilizationâs next line of problem-solvers.
The ObamaCore Debacle: When Washington Decided It Knew Best
The technology failure didnât happen in isolation. It coincided with one of the most sweeping and controversial curriculum overhauls in American educational history: the Obama administrationâs aggressive push for Common Core State Standards.
Common Core itself wasnât created by the federal government â it was developed through the National Governors Association and heavily funded by the Bill and Melinda Gates Foundation, which reportedly poured hundreds of millions of dollars into the initiative. But the Obama administrationâs Race to the Top program weaponized federal grant money to coerce states into adoption, making Common Core alignment a key criterion for accessing billions in education stimulus dollars during the depths of the Great Recession. By 2011, 44 states had signed on â not because their education experts were convinced, but because broke state governments needed the money.
Critics tagged it âObamaCoreâ for good reason. The federal governmentâs role in what was supposed to be a state-level standards initiative was expansive and, many argued, legally dubious. Secretary of Education Arne Duncan dismissed parent-led opposition as coming from âwhite suburban momsâ who didnât like discovering their children werenât as brilliant as they thought. It was a jaw-dropping display of contempt for the people schools are supposed to serve.
The results vindicated the critics. A study by the Center on Standards, Alignment, Instruction, and Learning found that Common Core had negative effects on student performance in both 4th-grade reading and 8th-grade math. Ted Rebarber of AccountabilityWorks, who co-authored multiple analyses of the initiative, called it âthe worst large-scale educational failure in 40 years.â Rather than closing achievement gaps, Common Core delivered a decade of stagnant and declining scores, while simultaneously distorting classroom instruction toward test-prep at the expense of genuine learning. Teachers taught to the test. Administrators gamed the metrics. Students fell further behind.
The legacy is a generation of students who went through school during a period of both curriculum disruption and technology saturation â a double hit that compounded the cognitive damage on both fronts.
The Privacy Catastrophe: When the Systems That Know Everything About Your Kids Get Hacked
Hereâs the dimension of this story that doesnât get enough attention: while schools were flooding classrooms with network-connected devices, mandating cloud-based learning management systems, and creating digital dossiers on every student from kindergarten through 12th grade, nobody was adequately securing any of it.
As weâve documented extensively at Breached.Company, educational institutions have become the most reliably targeted sector in cybercrime â and the attackers know exactly why. Schools store decades of sensitive personal data, run lean IT teams with little cybersecurity expertise, and have dramatically expanded their digital attack surface in the name of modern instruction. The result is open season on childrenâs records.
PowerSchool: The Breach That Broke Everything
The PowerSchool breach of December 2024 is the event that crystallized just how catastrophically exposed American childrenâs data had become. We covered the Matthew Lane case â the 19-year-old college student who orchestrated the theft of 70 million records â in detail, and the facts are staggering.
PowerSchool operates the most widely used Student Information System in the United States, serving more than 16,000 schools and 6,500 districts across North America. In late December 2024, Lane used a single set of stolen credentials to access PowerSchoolâs customer support portal â a portal that didnât have multi-factor authentication enabled â and over the course of days exfiltrated data belonging to an estimated 62 million students and 9.5 million teachers.
The stolen records werenât just names and grades. The breach exposed:
- Social Security numbers- Dates of birth and home addresses- Medical alert information- Parental contact details and custody arrangements- Active restraining orders against parents- In some districts, 40 years of historical student records
The attack was timed deliberately â hitting during the Christmas holiday window when IT staffing is at its lowest, a tactic weâve documented as a recurring pattern in school cyberattacks. South Portland Public Schools in Maine was among the districts caught flat-footed during the same holiday period.
PowerSchool paid the ransom â approximately $2.85 million in bitcoin â in exchange for a video supposedly showing the attacker deleting the data. It didnât work. By May 2025, attackers were still sending extortion emails to individual school districts with samples of the stolen data as proof of continued possession. As we noted in our analysis of third-party vendor dependencies and critical infrastructure, paying ransoms offers zero guarantee â and the PowerSchool case proved it in real time. More than 100 districts have since filed lawsuits against the company.
The CrowdStrike investigation commissioned by PowerSchool confirmed the company failed to implement basic security precautions. The breached account lacked MFA. The company didnât detect the intrusion for over 100 days after the hacker first accessed systems in September 2024. By the time PowerSchool knew it had been breached in late December, Lane had already looted thousands of districtsâ data and transferred it to servers in Ukraine. As we wrote in our cloud infrastructure failure analysis: âPowerSchoolâs customer support portal lacked even basic multi-factor authentication for a system storing millions of childrenâs Social Security numbers and medical data. Yet PowerSchool almost certainly passed whatever vendor risk assessments its customers performed.â
62 million students. 9.5 million teachers. Social Security numbers. Medical records. Custody arrangements. All of it, stolen from a system schools trusted to protect it â by a 19-year-old college student using stolen credentials on a portal with no MFA.
This Wasnât a One-Off
If PowerSchool were an isolated incident, it would be alarming enough. It isnât.
The 2025 academic year opened with a wave of ransomware attacks that forced multiple districts to close entirely. The South Lyon Community School District in Michigan shut down for three consecutive days after detecting a ânetwork security incidentâ affecting 8,400 students across 12 schools. The FBI was notified. The Uvalde school district â already one of the most traumatized in the country â was hit in the same back-to-school period.
Ransomware incidents across the education sector increased 23% year-over-year in the first half of 2025. Mean remediation costs for K-12 districts hit $3.76 million per incident in 2024. When school systems go down, it isnât just educational operations that stop â school meals, transportation, and parent communication all fail with them.
And itâs not only ransomware. In late 2025, a sophisticated phishing campaign struck New Haven Public Schools, with attackers using compromised student accounts to blast over 10,000 fraudulent emails harvesting banking information across the district. Roughly 1,000 students â 10% of the student body â opened the malicious messages. The same period saw Ivy League universities hit by coordinated social engineering attacks, with attackers at Penn gaining access to a university employeeâs account and exfiltrating data on 1.2 million individuals including students, alumni, and faculty.
In a particularly alarming case we covered on the double-edged sword of teen tech talent, a 14-year-old in Ohio successfully hacked Final Forms â a platform parents are required to use to enroll their children in school sports and submit medical documentation â accessing hundreds of thousands of student records using stolen credentials purchased on the dark web. The question that case forces isnât hypothetical: if a teenager âplaying around on the dark webâ can access 400,000 student records, what can a motivated criminal organization do?
According to the nonprofit Center for Internet Security, 82% of K-12 schools reported experiencing a cybersecurity incident between July 2023 and December 2024. The education sector takes an average of 4.8 months to report a ransomware attack. Education technology vendors â the third parties holding the actual data â take even longer, averaging 6.3 months.
The Third-Party Vendor Problem: You Canât Protect What You Donât Control
The PowerSchool breach exposes a structural vulnerability that extends far beyond one company. As our comprehensive analysis of third-party dependencies detailed, when schools shifted to cloud-based, device-dependent instruction models, they necessarily handed control of student data to a sprawling ecosystem of vendors â learning management systems, assessment platforms, communication tools, AI tutors, and analytics providers. Each one represents an additional attack surface. Each one collects sensitive student data. And schools â legally responsible for protecting that data under FERPA â often have no visibility into how those vendors actually secure what theyâve been given.
The dependency chains go deeper than anyone maps. PowerSchoolâs breach didnât just affect schools â it cascaded into third-party services that integrate with PowerSchool for analytics, communication, and reporting. Districts that believed they were managing their own data discovered they had no visibility into, or control over, the systems actually holding it.
The problem is compounded by an absence of meaningful data minimization practices. Because digital tools make it easy to collect everything, schools have historically collected everything â attendance patterns, behavioral flags, test scores, counseling notes, special education designations, and more. The result is that a single vendor breach can expose a childâs entire K-12 record in one fell swoop. The Toronto District School Boardâs revelation that 40 years of historical student data had been compromised in the PowerSchool breach is the inevitable outcome of this approach.
Parents and students concerned about what data is being collected and how itâs protected should be using tools designed specifically to navigate childrenâs privacy laws. The Children Privacy Laws resource at childrenprivacylaws.com provides guidance on COPPA (Childrenâs Online Privacy Protection Act), FERPA, state-level student privacy protections, and your rights as a parent to access, correct, and delete your childâs educational records. Understanding what protections exist â and where the gaps are â is the first step in demanding accountability from schools and the vendors theyâve entrusted with your childrenâs data.
What Needs to Happen
The policy failures documented here are not inevitable. They are the predictable result of moving fast, following money and ideology, and failing to center childrenâs actual cognitive development and safety in decision-making.
On technology in the classroom: Congress and state legislatures must impose efficacy standards for ed-tech funding. No device or platform should receive public school dollars without independent evidence that it actually improves learning outcomes. The era of billion-dollar contracts awarded on vendor promises needs to end.
On curriculum: The lesson of Common Core is that top-down, federally coerced curriculum overhaul implemented on political timelines without genuine educator and parent buy-in backfires every time. Education policy needs to be built from the classroom up.
On student data security: Schools must treat third-party vendor relationships as the cybersecurity risks they are â pre-procurement security assessments, contractual data minimization requirements, mandatory MFA for all vendor portals handling student data, and incident response plans that assume breaches will happen. The PowerSchool attack succeeded precisely because there was nothing the affected districts could have done to prevent it. That is an unacceptable risk posture for data this sensitive.
Legislatively: Congress should pass meaningful federal student privacy protections that extend COPPA and FERPA to cover the modern reality of cloud-based instruction, enforce data minimization, require breach notification within 72 hours, and create real penalties for vendors that fail to protect the data schools are required to entrust to them.
The Bottom Line
American students have been the subjects of three overlapping experiments: a device-saturation experiment that atrophied their cognitive capabilities, a curriculum standardization experiment that disrupted instruction without improving outcomes, and a data digitization experiment that created centralized repositories of childrenâs most sensitive information â secured, as the PowerSchool breach proved, with the barest minimum of precaution.
The kids didnât ask for any of this. As Horvath told the U.S. Senate, none of them asked to be sat in front of a screen for their entire K-12 education. The policy failures belong to the adults â the politicians, the vendors, the administrators, and the foundations that funded the experiment without adequate evidence it would work or adequate safeguards against it going wrong.
The least we can do now is stop doubling down on the same mistakes, start treating student data with the gravity it deserves, and build education policy around evidence of what actually helps children learn â not what sells devices, wins grants, or looks good in a press release.
Related coverage on Breached.Company:
- School Cyberattacks: A Growing Crisis Threatening Student Data and Educational Operations- The Teenage Hacker Who Stole 70 Million Records: The Matthew Lane Case- School Cyberattacks Plague Start of 2025 Academic Year- Educational Institutions Under Siege: New Haven Phishing Attack- Hackers Strike US Ivy League Schools Already Under Political Pressure- When the Cloud Falls: Third-Party Dependencies and the New Definition of Critical Infrastructure- The Double-Edged Sword of Teen Tech Talent
For more on childrenâs privacy rights and how to protect your studentâs data, visit childrenprivacylaws.com.