Texas Attorney General Sues PowerSchool Over Data Breach
Texas Attorney General Ken Paxton has initiated a lawsuit against PowerSchool, a prominent education technology firm based in California. The legal action arises from a substantial data breach that compromised the sensitive personal information of over 880,000 school-aged children and teachers in Texas.
Overview of the Data Breach
In December 2024, PowerSchool experienced a significant breach that resulted in unauthorized access to a wealth of personal data. This included not only names and addresses but also Social Security numbers, medical information, disability records, and details pertaining to special education services. Alarmingly, even school bus stop locations were included in the exposed data. Officials warn that the breadth of this information significantly increases the risk of identity theft and various other security threats for both students and educators.
How the Breach Occurred
Court documents reveal that a hacker infiltrated PowerSchool’s systems using a subcontractor’s account that lacked sufficient security measures. This administrative access allowed the hacker to transfer vast amounts of unencrypted data to a server located overseas. PowerSchool serves a broad customer base, functioning in approximately 18,000 school districts across the United States, with around 6,500 educational institutions directly affected by this breach. In total, the incident has affected more than 62 million students and nearly 10 million teachers worldwide, with a particularly severe impact on Texas.
Allegations Against PowerSchool
The Texas Attorney General’s Office asserts that PowerSchool has breached both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. Investigators contend that PowerSchool misrepresented the robustness of its cybersecurity measures to customers and failed to implement basic protections such as multi-factor authentication, stringent access controls, and data encryption.
“Parents should never have to worry that the information they provide for their children’s education could be compromised,” Paxton stated. He emphasized that if technology companies believe they can benefit from managing sensitive data while neglecting security protocols, they are mistaken. The lawsuit claims that PowerSchool falsely promoted its software as conforming to "the highest security standards" and providing "state-of-the-art protections."
Response and Accountability
In the wake of the breach, PowerSchool has admitted that it lacked multi-factor authentication at the time of the incident. However, the company has not issued a public statement regarding the Texas lawsuit, and inquiries from the media have reportedly gone unanswered. Earlier this year, a Massachusetts college student pleaded guilty to orchestrating the hacking, although the specifics of his sentencing and restitution details remain unclear. Nonetheless, Paxton’s office stresses that PowerSchool is directly accountable for the extent of the data exposure, given its insufficient security measures.
Broader Implications
This lawsuit stands out as one of the most significant legal actions aimed at a technology vendor in the education sector, calling attention to the urgent need for robust cybersecurity in educational technology. As schools become increasingly dependent on cloud services to manage sensitive student and employee data, the liability of third-party providers is under scrutiny.
Cybersecurity experts point out that the exposure of sensitive records—especially health-related and disability information—poses long-lasting risks for both students and educators. Additionally, the revelation that bus stop locations were part of the compromised data raises serious safety concerns, as such details could potentially be exploited to locate minors.
This incident adds to the growing scrutiny PowerSchool faces from multiple states and educational districts, highlighting the collective demand for more stringent oversight of tech companies that handle massive quantities of personal information.
Future Directions
As the lawsuit progresses, Paxton’s office aims to enforce penalties against PowerSchool and enhance protections for Texas families. “We will pursue every avenue to ensure that companies responsible for managing children’s information adhere to the highest standards,” he stated.
For parents and educators affected by the PowerSchool data breach, officials advise staying vigilant about monitoring account activities, credit information, and personal records to mitigate potential risks stemming from this significant data compromise.
