Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach
The St. Croix Falls, Wisconsin, school district filed a federal lawsuit against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history.
The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, according to the hacker, led to a global breach of some 62.4 million students' and 9.5 million educators' personal information. Though the company hasn't acknowledged how many people were affected, exposed sensitive files reportedly include Social Security numbers, special education records and detailed medical information.
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
The St. Croix Falls lawsuit alleges breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.
'At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,' attorney William Shinoff, whose firm represents the St. Croix Falls district, told The 74 in an interview.
A Powerschool spokesperson didn't immediately respond to a request for comment Tuesday about the St. Croix Falls lawsuit.
Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft.
But because these center on the data breach's potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised.
'A cornerstone of the commercial relationship between' the school district and the company was educators' 'reliance on PowerSchool's representation that it would adequately protect' students' and educators' sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 'has done little to help' the school district and people whose information was compromised.
Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 'file thousands' of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown.
'What I can tell you is we've already spoken to hundreds of districts,' Shinoff said. 'Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they're reimbursed these public dollars that were spent for their programs.'
Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook's and Instagram's parent company Meta and the electronic cigarette company Juul. The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm.
Related
PowerSchool has acknowledged the hacker used a compromised password belonging to 'an authorized support engineer' to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to a draft cybersecurity audit and other records obtained by NBC News.
The full audit, released by the company last week, found its systems were breached in August — months earlier than previously disclosed — but couldn't say for certain it was by the same threat actors.
The company 'failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,' the complaint alleges. 'Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.'
The legally binding data privacy agreement that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was kicked off Feb 13.
Related
In an earlier statement to The 74, PowerSchool spokesperson Beth Keebler said the company 'has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.'
'PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,' the statement continued. 'However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.'
Despite PowerSchool's promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told The 74.
But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare.
'Many school districts are between the devil and the deep blue sea,' Williams said. 'Many of them don't have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.'
Finding a competitor might also prove challenging. While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics.
The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America's 100 largest school districts.
PowerSchool was acquired in October 2024 by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform Naviance, has acquired multiple smaller ed tech ventures, such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation's K-12 classrooms.
Williams is the author of the data privacy agreement central to the Wisconsin district's claims against PowerSchool. Created by the Student Data Privacy Consortium, a collaborative effort between school districts and technology vendors to keep students' information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — including PowerSchool — follow stringent security practices.
Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker.
PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC's reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession.
Through the agreements, PowerSchool also vowed to 'abide by and maintain adequate data security measures, consistent with industry standards' for the storage of sensitive records.
Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium.
'We just felt that at some point you have to police the process, at some point you have to draw a red line,' Williams told The 74. 'We've got to protect the contract because it protects schools and it protects kids. So that's not negotiable for us.'
Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.
'At this point their word, to us, can't be trusted,' Shinoff said. 'For them to have someone that they're reporting to for a period of time is something that's essential — especially when we're dealing with thousands and thousands of districts across the country.'
Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students' personal information out of the hands of malicious actors.
As an early adopter of a voluntary federal pledge to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide.
Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.
During the event, the company said it would provide free webinars, training videos and other resources to help schools better secure their systems.
In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 'relentless investment and focus on every element of security.'
Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson opened an investigation into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 'to determine if they broke any laws.'
The company is also facing bipartisan federal scrutiny. In a Feb. 21 letter, senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals.
'School district leaders who we have spoken with raised serious concerns about delays in your company's response to the cybersecurity incident, including delayed notifications to impacted schools,' wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach.
PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 'adult students and educators.' Keeber, the PowerSchool spokesperson, said in the statement the company has seen 'no evidence of fraud or further misuse of the information involved to date.'
But the senators wrote that PowerSchool 'has not clearly communicated a date by which impacted individuals will receive' the services.
'Your delayed and unclear communication is unacceptable,' the letter continued, 'especially given the sensitive nature of the personal data that was stolen.'
Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.
They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.
One federal lawsuit brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 'partners' with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot.
'The information PowerSchool takes from students is virtually unlimited,' the complaint alleges. 'It includes everything from education records and behavioral history to health data and information about a child's family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.'
In a motion to dismiss the lawsuit, PowerSchool's attorneys claimed Cherkin's complaint relied on 'broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.'
Related
Keebler, the company spokesperson, denied Cherkin's claims that it sells data or uses personal data to train its chatbots.
But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool's business model to that of social media companies that are built to amass and monetize user data.
'I'm truly not at all shocked that this happened,' she said of the breach. 'The only way, really, to keep data safe is to not collect it and stockpile it in the first place.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Fox News
43 minutes ago
- Fox News
Digital Social Security cards coming this summer
The Social Security Administration (SSA) just announced a major update. Starting this summer, Americans with a "My Social Security" account will be able to access their digital Social Security number (SSN) online. The goal is to simplify access, reduce paper card replacements and improve data protection. But with convenience comes new cybersecurity concerns. Here's how the digital SSN works, why it's being introduced now and the steps you should take to protect your SSN from identity theft both online and offline. The SSA is introducing secure digital access to your Social Security number through the "My Social Security" portal. If you forget your SSN, misplace your card or need to share your number for non-SSA purposes (such as job applications or financial services), you'll be able to view your number online from a mobile device. "This enhancement will provide individuals…a simple solution allowing them to securely view their SSN online," said the SSA. This update eliminates the need for mail delays or in-person visits to your local SSA office. There are a few big reasons the SSA is rolling this out now: The digital SSN option will be available in early summer 2025. If you already have a "My Social Security" account, you'll be able to access the feature once it rolls out. You'll need a "My Social Security" account to use the digital SSN features. Here's how to get started: 1) Visit the SSA's account portal: Go to and click "Create an Account." 2) Verify your identity: You'll be asked to provide your name, birthdate, SSN and address. The SSA may use a third-party identity verification service and ask questions based on your credit report. 3) Choose a username and password: Use a strong, unique password and set up two-factor authentication with your phone number or an authenticator app. Consider using a password manager to generate and store complex passwords. 4) Log in and check your dashboard: Once the digital SSN feature launches, you'll be able to view your number securely from your account on a mobile device or computer. If you're already signed up, double-check your security settings and make sure your contact information is current. Even with digital access making your SSN more convenient, it's still one of the most sensitive pieces of personal information you own. If your SSN falls into the wrong hands, it can lead to identity theft, credit fraud and even tax return scams. Here are the best ways to protect it: 1) Use a strong password for your SSA account: Create a unique, complex password for your "My Social Security" account and enable two-factor authentication. This ensures that even if someone guesses your password, they won't be able to log in without a second verification step. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here. 2) Avoid public Wi-Fi when accessing your SSN: If you're checking your SSA account, avoid doing so over unsecured networks like public Wi-Fi. Use a secure home network or VPN to encrypt your connection and protect your session from hackers. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices. 3) Be cautious of phishing scams and use strong antivirus software: Scammers often pose as the SSA to trick you into revealing your SSN. Don't click links in unsolicited emails or texts and never give personal information unless you're sure the source is legitimate. Always go directly to if in doubt. To block suspicious links and attachments before they reach you, consider using strong antivirus software. The right antivirus can help detect phishing attempts and protect you from malicious downloads. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 4) Monitor your credit and bank accounts and use an identity theft service: Staying on top of your financial activity is one of the most effective ways to catch identity theft early. That's where identity protection services come in. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best picks on how to protect yourself from identity theft. 5) Check your credit reports: Make it a habit to review your credit reports regularly. Look for unfamiliar accounts, unauthorized inquiries or incorrect personal information. If something seems off, contact the credit bureau right away to dispute it. 6) Request an IRS Identity Protection PIN: Prevent fraudulent tax filings using your SSN by setting up an Identity Protection PIN with the IRS. This six-digit number adds another layer of protection during tax season. 7) Review your Social Security earnings record: Log in to your "My Social Security" account regularly to review your earnings history and benefits. This helps ensure your information hasn't been altered or compromised. Starting this summer, the SSA will let you view your Social Security number online through your "My Social Security" account. It's a secure, convenient update that cuts down on lost cards and office visits. To use it safely, set up strong login credentials and two-factor authentication. And since your SSN remains a top target for identity thieves, now's the time to protect it with tools like a password manager, VPN, antivirus software and identity theft monitoring. Do you trust digital access to your Social Security number? Let us know by writing to us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
CNBC
an hour ago
- CNBC
Millions of student loan borrowers were promised an interest-free break. This woman's debt is still growing
Earlier this month, Ellie Bruecker received a troubling notice from her student loan servicer, Mohela. "Although no payments are due at this time, interest continues to accrue on your loan(s) during the forbearance period," Mohela wrote to Bruecker in the June 1 letter, which CNBC reviewed. "You have the option to pay the interest during the forbearance." The problem: The U.S. Department of Education had promised borrowers who were enrolled in the so-called SAVE forbearance, including Bruecker, that interest would not accrue on their debt. Millions of borrowers were switched into the payment pause in the summer of 2024 after the Biden administration-era repayment program — called the Saving on a Valuable Education plan — became tied up in legal challenges due to its generous terms. The Trump administration has not said when that forbearance will end, and recently it released information showing that nearly 2 million student loan borrowers were stuck in a backlog of applications to get into other available repayment plans. Despite the government's promises, Bruecker's student debt has grown by around $3,000 during the roughly year-long SAVE reprieve, her loan documents show. "I saw those numbers and my eyes bugged out of my head," said Bruecker, 34. She's not the only SAVE borrower seeing interest accruing: Other people facing the same issue have taken to social media to try and get answers. At one point, around 8 million people were enrolled in the SAVE plan, according to the Education Dept. More from Personal Finance:Social Security gets break from student loan collectionsIs college still worth it? It is for most, but not allWhat to know before you tap your 529 plan Bruecker happens to work as the director of research at The Institute for College Access & Success, a nonprofit that does advocacy work in the higher education space. But she wonders how many student loan borrowers will even know that this wasn't supposed to happen, let alone be able to get it corrected. "Will they resolve this for everyone, or just those who get them on the phone and are loud about it?" she said. It's unclear how widespread the issue is. A spokesperson for the Education Dept. did not answer CNBC's questions about the issue some borrowers are facing, but said that those "enrolled in the SAVE Plan remain in a forbearance that is not accruing interest." Mohela did not immediately respond to a request for comment. But Mohela has a notice at the top of its website that reads: "If you recently received an interest notice for your student loan account, please know that this is not a bill, and no action is necessary at this time." The notice goes on to say that, "For borrowers on the SAVE administrative forbearance, interest is currently set at 0%. Refer to your loan details in your notice." The company does not say that the alerts were sent in error, but they likely were, said higher education expert Mark Kantrowitz. "MOHELA sent out misleading notices to their borrowers who are in the SAVE repayment plan," Kantrowitz said. "Borrowers who are worried about the MOHELA letter should check their loan history to see if the balance has changed," Kantrowitz added. If their debt has grown since July 2024, "they should contact MOHELA," he said. Bruecker said her loan records from both Mohela and the Education Dept. reflect a higher balance after roughly around $3,000 in interest was added to her debt during the forbearance. "Mohela has been allowing interest to accrue the entire time my loans have been in this SAVE forbearance," she said. She tried to contact Mohela to correct the error, but said she was unable to reach a representative despite waiting on the phone for hours. In recent months, the Trump administration has terminated around half of the Education Department's staff, including many of the people who helped assist borrowers when they ran into issues like this one. A federal judge has ordered Trump officials to reinstate the terminated employees, but the administration is now asking the Supreme Court to block that order. "With the level of dysfunction at the Education Department right now, I have a real distrust this is going to get resolved for people," Bruecker said.
Forbes
an hour ago
- Forbes
Let's Let Everyone Save For Retirement
U.S. public policy typically encourages saving. Our retirement system has undergone a major transformation over the past four decades, shifting workers to an individual savings-based system. Public policy supports saving for college costs, health costs, and emergencies, so it seems odd when a specific group of Americans is denied the ability to save, but that is precisely the situation facing people who receive Supplemental Security Income (SSI) benefits. Established in 1974 by President Nixon and run by the Social Security Administration, SSI provides financial assistance to individuals who have limited income and resources, including those who are 65 or older, blind, or disabled. Unlike Social Security benefits, SSI is not based on work history. Instead, it is a needs-based program funded by general tax revenues, not Social Security contributions. The goal of SSI is to help eligible people cover basic expenses like food, clothing, and shelter. As of February 2025, approximately 7.4 million individuals were receiving SSI payments, which includes one million children. Today SSI is one of the vital economic security programs provided by the Social Security Administration. SSI recipients have very low incomes, which is partly why they are eligible for the program in the first place. But they are subject to very strict asset limits while receiving SSI - asset limits that have not been updated for more than forty years. The current asset limits are $2,000 for an individual and $3,000 for a married couple, which means there is a marriage penalty for an SSI recipient who gets married while receiving benefits. SSI recipients seem to find themselves in this unfortunate circumstance due to congressional neglect. The asset limits are not adjusted for inflation, so they have remained stagnant for four decades. Many SSI beneficiaries have a disability, but significant societal changes over the past four decades have increased opportunities for people with disabilities to participate in the workforce. However, some employed people with disabilities find themselves unable to participate in their employer's 401(k) plan or even receive a bonus because doing so would push them above the asset limit and stop them from receiving their SSI benefits, which they need in addition to their earnings. This issue has not received the attention it should, but Americans strongly support a change in policy. Polling released earlier this year found that two-thirds of Americans support either increasing or eliminating the SSI asset limit. That support was strong across the board regardless of whether the respondent was a Republican, a Democrat, or an independent. The option with the most support was to raise the asset limit to $10,000 for an individual and $20,000 for a couple and to exempt retirement savings from the limit. Fortunately, Congress seems to have woken up to the need to update SSI policy on this front. A bipartisan, bicameral piece of legislation called the SSI Savings Penalty Elimination Act was recently reintroduced in the new Congress. This bill would raise the asset limits to $10,000 for an individual and $20,000 for a couple. Retirement savings would still remain subject to the limit, but the bill is a step in the right direction of enabling more people to save. Recent public policy, such as the SECURE Act and SECURE 2.0 Act, has encouraged Americans to save more for retirement. It's unfortunate that SSI policy isn't on the same track. It seems shortsighted that some Americans are punished for saving because they need extra economic security today. Hopefully this policy will finally be updated after more than four decades and we can let everyone save for retirement.
