Texas Attorney General Ken Paxton filed suit against PowerSchool after a massive data breach exposed the personal information of more than 880,000 Texas students and teachers.
The California-based education technology company allegedly failed to implement basic security measures, allowing hackers to steal sensitive data, including Social Security numbers and home addresses.
The breach strikes at the heart of parental trust in school systems. PowerSchool’s software handles everything from enrollment to health records for K-12 schools across Texas.
Despite marketing itself as offering “state-of-the-art protections” for student data, PowerSchool lacked multi-factor authentication and proper encryption. The company processes sensitive information that Texas schools collect from parents and employees.
In December 2024, a hacker exploited a subcontractor’s account to gain administrative access. The cybercriminal transferred unencrypted data to a foreign server, stealing names, addresses, Social Security numbers, and medical records.
The stolen information included disability records, special education data, and bus stop locations. These details could potentially be used to physically locate Texas children.
“If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong,” Paxton said. “Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused.”
The lawsuit alleges PowerSchool violated the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. Paxton’s office claims the company misled customers about its security practices while failing to protect sensitive information.
“My office will do everything we can to hold PowerSchool accountable for putting Texas students, teachers, and families at risk,” Paxton added.
PowerSchool promotes its cloud-based platform as meeting “the highest security standards” for managing student information and school operations. The breach revealed a stark contrast between the company’s marketing claims and its actual security infrastructure.