Texas Sues PowerSchool Over Catastrophic Breach Exposing 62 Million Students

In a landmark legal move, Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool, a leading provider of cloud-based software for K-12 schools, following a catastrophic data breach in December 2024. The incident exposed the personal information of 62 million students globally, including over 880,000 Texans—escalating concerns about security failures in educational technology.

Anatomy of a Systemic Failure

The breach unfolded on December 19, 2024, when attackers used stolen credentials from a PowerSchool subcontractor to infiltrate the company's PowerSource customer support portal. The stolen data included:

• Full names, physical addresses, and phone numbers
• Social Security numbers and medical information
• Parent/guardian details and student passwords
• Faculty contact information and sensitive educational records

By December 28, the threat actor demanded a $2.85 million Bitcoin ransom, claiming to have exfiltrated data spanning 62.4 million students and 9.5 million teachers across 6,505 school districts in the U.S., Canada, and beyond.

"PowerSchool's failures violate both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act by misleading customers about its security practices," stated the Texas Attorney General's office.

Broken Promises and Escalating Threats

PowerSchool paid the ransom and received a video purportedly showing data deletion. Yet by May 2025, attackers began extorting individual school districts, threatening to leak student data unless paid—a tactic echoing the ShinyHunters threat group's signature double-extortion playbook.

In a startling revelation, 19-year-old college student Matthew D. Lane pleaded guilty to orchestrating the attack, exposing how easily sophisticated breaches can originate from non-state actors. CrowdStrike's forensic investigation later uncovered two prior breaches (August/September 2024) using the same compromised credentials, though attribution remains inconclusive.

Legal Reckoning for EdTech Security

Attorney General Paxton's lawsuit accuses PowerSchool of "cutting corners on security" while profiting from children's data, signaling a regulatory shift:

Key Legal Arguments:
1. Deceptive security representations to schools
2. Failure to implement credential rotation/access controls
3. Negligence in subcontractor oversight

This case highlights critical vulnerabilities in education technology:
- Supply chain risks: Third-party credentials as single points of failure
- Data minimization gaps: Why were SSNs and medical data retained?
- Incident response flaws: Paying ransoms doesn't guarantee data safety

The Unavoidable Lesson

As schools increasingly rely on SaaS platforms, the PowerSchool breach underscores a harsh truth: securing student data requires more than compliance checklists. It demands rigorous third-party audits, zero-trust architectures, and transparent breach protocols. With 46% of environments vulnerable to password cracking (per Picus Security's 2025 Blue Report), the education sector must treat student privacy as a non-negotiable imperative—not a negotiable cost.

Source: BleepingComputer