Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach
The St. Croix Falls, Wisconsin, school district filed a federal lawsuit against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history.
The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, according to the hacker, led to a global breach of some 62.4 million students' and 9.5 million educators' personal information. Though the company hasn't acknowledged how many people were affected, exposed sensitive files reportedly include Social Security numbers, special education records and detailed medical information.
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
The St. Croix Falls lawsuit alleges breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.
'At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,' attorney William Shinoff, whose firm represents the St. Croix Falls district, told The 74 in an interview.
A Powerschool spokesperson didn't immediately respond to a request for comment Tuesday about the St. Croix Falls lawsuit.
Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft.
But because these center on the data breach's potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised.
'A cornerstone of the commercial relationship between' the school district and the company was educators' 'reliance on PowerSchool's representation that it would adequately protect' students' and educators' sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 'has done little to help' the school district and people whose information was compromised.
Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 'file thousands' of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown.
'What I can tell you is we've already spoken to hundreds of districts,' Shinoff said. 'Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they're reimbursed these public dollars that were spent for their programs.'
Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook's and Instagram's parent company Meta and the electronic cigarette company Juul. The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm.
Related
PowerSchool has acknowledged the hacker used a compromised password belonging to 'an authorized support engineer' to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to a draft cybersecurity audit and other records obtained by NBC News.
The full audit, released by the company last week, found its systems were breached in August — months earlier than previously disclosed — but couldn't say for certain it was by the same threat actors.
The company 'failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,' the complaint alleges. 'Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.'
The legally binding data privacy agreement that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was kicked off Feb 13.
Related
In an earlier statement to The 74, PowerSchool spokesperson Beth Keebler said the company 'has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.'
'PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,' the statement continued. 'However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.'
Despite PowerSchool's promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told The 74.
But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare.
'Many school districts are between the devil and the deep blue sea,' Williams said. 'Many of them don't have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.'
While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics.
The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America's 100 largest school districts.
PowerSchool was acquired in October 2024 by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform Naviance, has acquired multiple smaller ed tech ventures, such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation's K-12 classrooms.
Williams is the author of the data privacy agreement central to the Wisconsin district's claims against PowerSchool. Created by the Student Data Privacy Consortium, a collaborative effort between school districts and technology vendors to keep students' information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — including PowerSchool — follow stringent security practices.
Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker.
PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC's reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession.
Through the agreements, PowerSchool also vowed to 'abide by and maintain adequate data security measures, consistent with industry standards' for the storage of sensitive records.
Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium.
'We just felt that at some point you have to police the process, at some point you have to draw a red line,' Williams told The 74. 'We've got to protect the contract because it protects schools and it protects kids. So that's not negotiable for us.'
Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.
'At this point their word, to us, can't be trusted,' Shinoff said. 'For them to have someone that they're reporting to for a period of time is something that's essential — especially when we're dealing with thousands and thousands of districts across the country.'
Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students' personal information out of the hands of malicious actors.
As an early adopter of a voluntary federal pledge to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide.
Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.
During the event, the company said it would provide free webinars, training videos and other resources to help schools better secure their systems.
In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 'relentless investment and focus on every element of security.'
Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson opened an investigation into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 'to determine if they broke any laws.'
The company is also facing bipartisan federal questioning. In a Feb. 21 letter, senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals.
'School district leaders who we have spoken with raised serious concerns about delays in your company's response to the cybersecurity incident, including delayed notifications to impacted schools,' wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach.
PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 'adult students and educators.' Keeber, the PowerSchool spokesperson, said in the statement the company has seen 'no evidence of fraud or further misuse of the information involved to date.'
But the senators wrote that PowerSchool 'has not clearly communicated a date by which impacted individuals will receive' the services.
'Your delayed and unclear communication is unacceptable,' the letter continued, 'especially given the sensitive nature of the personal data that was stolen.'
Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.
They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.
One federal lawsuit brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 'partners' with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot.
'The information PowerSchool takes from students is virtually unlimited,' the complaint alleges. 'It includes everything from education records and behavioral history to health data and information about a child's family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.'
In a motion to dismiss the lawsuit, PowerSchool's attorneys claimed Cherkin's complaint relied on 'broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.'
Related
Keebler, the company spokesperson, denied Cherkin's claims that it sells data or uses personal data to train its chatbots.
But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool's business model to that of social media companies that are built to amass and monetize user data.
'I'm truly not at all shocked that this happened,' she said of the breach. 'The only way, really, to keep data safe is to not collect it and stockpile it in the first place.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
14 minutes ago
- Yahoo
5 Major Social Security Mistakes Boomers Can't Stop Making
Retirement planning is both complicated and high-stakes — a recipe for mistakes with major financial consequences. And sure enough, Business Insider reported that more than half of Americans over 65 earn less than $30,000 a year. As you plan your own retirement, watch out for these Social Security mistakes plaguing current baby boomers. Check Out: Read Next: Too many people reach their early 60s and think: 'I've been paying into the system for decades, I need to lock in my share!' Unfortunately, that leaves them with far lower lifetime benefits than if they'd waited. 'Filing early means locking in a permanent reduction in benefits, up to 30% if your full retirement age is 67,' explained Christine M. Parisi, senior wealth advisor at R.W. Rogé & Company. If you take benefits at age 62, you receive just 70% of your full retirement benefit. At 67, you collect 100%. Wait until 70, and you receive 124% of your full Social Security benefit. Learn More: Plan to continue working for a while? Hold off on taking Social Security — and not just to secure higher benefits. 'If your earnings exceed the annual limit, the Social Security Administration may withhold $1 in benefits for every $2 you earn over the threshold,' Parisi added. 'Benefits can also push your income higher for Medicare-related costs like IRMAA, meaning you could end up paying more in premiums.' Plus, combining your salary with Social Security can push you into a higher tax bracket. You can end up handing much of that money right back to Uncle Sam. If one spouse earned significantly higher income, or worked for many years longer, their benefits will be higher. Plan to optimize those, perhaps by having that spouse delay benefits while the family lives on earned income or distributions from retirement accounts before taking benefits. Parisi noted that different rules apply to surviving spouses. 'If your late spouse worked long enough to qualify for Social Security, you may be able to start collecting survivor benefits as early as age 60. Unfortunately, many don't realize this is even an option until it's too late.' First and foremost, when you planned your retirement income, did you account for taxes? You'll still owe income taxes in retirement, at least under current tax laws. 'A portion of Social Security benefits are taxable, up to 85%, based on your provisional income,' said Keith Hensley of Florida Financial Planning. Many states tax Social Security benefits as well. The upshot? You may need more money saved for retirement than you thought. Again, you may be better off working another year and delaying Social Security benefits. It may not be too late for a Roth conversion to make sense. If you have a year with lower income, consider taking the tax hit and converting some of your traditional retirement funds to Roth accounts, so they can compound tax-free and you can avoid paying taxes on withdrawals in retirement. If Social Security is your only — or your primary — plan for retirement income, expect stormy seas ahead. William Connor, CFA and CFP with Sax Wealth Advisors, added some historical context. 'Social Security was created as a safety net for older Americans. It was not designed as a primary source of retirement income, and won't replace your working income.' Instead, combine it with other sources of income such as retirement accounts, health savings accounts (HSAs), taxable brokerage accounts, real estate investments and perhaps part-time fun working gigs. The less you rely on Social Security income, the more comfortable and secure your retirement will be. More From GOBankingRates 3 Luxury SUVs That Will Have Massive Price Drops in Summer 2025 8 Common Mistakes Retirees Make With Their Social Security Checks How Much Money Is Needed To Be Considered Middle Class in Every State? This article originally appeared on 5 Major Social Security Mistakes Boomers Can't Stop Making Sign in to access your portfolio
Yahoo
an hour ago
- Yahoo
Average Social Security Payment in June 2025 Will Surpass a Major Milestone: How Does Yours Stack Up?
For the first time in the history of the Social Security Administration, the average monthly benefit check for a retiree is set to pass $2,000 in June. Be Aware: Read Next: While that's good news on the surface, there are some other factors that may not have every recipient celebrating this major milestone. For those receiving Social Security benefits, the news of the payment milestone may be a reason to celebrate. Based on the Social Security Monthly Statistical Snapshot, the average check hit $1,999.97 in April. That puts it on track to pass the $2,000 threshold in June, based on projections. However, some recipients have been concerned about seeing smaller checks over threats from President Donald Trump about federal student loan garnishments. It's an issue impacting many people. In fact, according to the Consumer Financial Protection Bureau, there are 450,000 federal student loan borrowers 62 years and older who are in default of their student loans and probably receiving Social Security benefits. Learn More: If you receive a Social Security payment, you may be wondering why yours doesn't stack up to the $2,000 milestone or doesn't seem to be enough to get by today. Per USA Today, even though monthly payouts continue to climb, they've been going up at a far slower rate than the pressures of inflation pushing on retirees for years. If you find yourself struggling to pay for things, some basic personal finance guidance may be a good starting place. For example, it may be helpful to create a budget after you list out your monthly expenses. You can see where the money is going and look for ways to cut back, perhaps canceling unnecessary subscriptions or looking at steps to reduce your food bill. It might also be time to take on a side gig or part-time work if you're really struggling with the amount you get. If you go this route, you will want to check if and how working would impact your benefits. As always, do your research or speak with a financial advisor before making any major money decisions. More From GOBankingRates Mark Cuban Warns of 'Red Rural Recession' -- 4 States That Could Get Hit Hard The 5 Car Brands Named the Least Reliable of 2025 9 Downsizing Tips for the Middle Class To Save on Monthly Expenses This article originally appeared on Average Social Security Payment in June 2025 Will Surpass a Major Milestone: How Does Yours Stack Up? Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Newsweek
2 hours ago
- Newsweek
Social Security Update: Payments Of Up To $5,108 Due This Week
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. Retirees who receive social security benefits will get their monthly payment this week. Why It Matters The Social Security Administration (SSA) pays out retirement, survivor and disability benefits to more than 70 million Americans on a monthly basis. It forms a bedrock of income for millions who are retired, disabled or the survivor of a deceased worker. Payments are administered in one lump sum for most recipients, but because of the large number of recipients, not every claimant receives their payment on the same date each month. What To Know On Wednesday, June 11, benefit payments are scheduled to be made to those with a birthday between the 1st and 10th of any given month in the year. Anyone who hasn't received their payment on the expected date should allow three working days before contacting the SSA. Saturdays, Sundays and public holidays are not working days. A stock image shows a Social Security card with U.S. dollars. A stock image shows a Social Security card with U.S. dollars. GETTY How Much Social Security Can I Get? As of January 2025, the average monthly Social Security retirement benefit came in at $1,976. However, the exact amount each person receives depends on their lifetime earnings and the number of years they paid in payroll taxes over the course of their working life. Those who retire at age 62 can receive up to $2,831 per month. Waiting until full retirement age (67) increases the maximum benefit to $4,018. For those who delay claiming until age 70, the monthly benefit rises to a maximum of $5,108. If you receive Supplemental Security Income—for elderly, blind and disabled Americans with little to no income—the 2025 maximum is $967 for individuals and $1,450 for couples. However, payments may be lower than this as they are based on income, living situation and other eligibility factors. Further Payment Dates For June In June, benefits will be paid on the following dates: Wednesday, June 18 : Benefits for those born between the 11th and 20th. : Benefits for those born between the 11th and 20th. Wednesday, June 25: Benefits for those with birthdays between the 21st and 30th. Social Security Fairness Act More than a million Americans who were impacted by the passage of the Social Security Fairness Act earlier this year have already begun receiving updated benefits. But the SSA recently updated beneficiaries expecting higher and retroactive payments, saying there are delays to some claims. Updated benefit amounts, as well as retroactive payments back to December 2023, began in April. While 91 percent of the those impacted are now receiving full benefits, there are still some "complex cases" that are taking longer to update. "For the many complex cases that cannot be processed automatically, additional time is required to manually update the records and pay both retroactive benefits and the new benefits amount," the SSA said in an update on its website. "We are expediting these cases now."
