Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach
The St. Croix Falls, Wisconsin, school district filed a federal lawsuit against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history.
The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, according to the hacker, led to a global breach of some 62.4 million students' and 9.5 million educators' personal information. Though the company hasn't acknowledged how many people were affected, exposed sensitive files reportedly include Social Security numbers, special education records and detailed medical information.
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
The St. Croix Falls lawsuit alleges breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.
'At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,' attorney William Shinoff, whose firm represents the St. Croix Falls district, told The 74 in an interview.
A Powerschool spokesperson didn't immediately respond to a request for comment Tuesday about the St. Croix Falls lawsuit.
Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft.
But because these center on the data breach's potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised.
'A cornerstone of the commercial relationship between' the school district and the company was educators' 'reliance on PowerSchool's representation that it would adequately protect' students' and educators' sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 'has done little to help' the school district and people whose information was compromised.
Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 'file thousands' of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown.
'What I can tell you is we've already spoken to hundreds of districts,' Shinoff said. 'Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they're reimbursed these public dollars that were spent for their programs.'
Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook's and Instagram's parent company Meta and the electronic cigarette company Juul. The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm.
Related
PowerSchool has acknowledged the hacker used a compromised password belonging to 'an authorized support engineer' to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to a draft cybersecurity audit and other records obtained by NBC News.
The full audit, released by the company last week, found its systems were breached in August — months earlier than previously disclosed — but couldn't say for certain it was by the same threat actors.
The company 'failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,' the complaint alleges. 'Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.'
The legally binding data privacy agreement that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was kicked off Feb 13.
Related
In an earlier statement to The 74, PowerSchool spokesperson Beth Keebler said the company 'has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.'
'PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,' the statement continued. 'However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.'
Despite PowerSchool's promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told The 74.
But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare.
'Many school districts are between the devil and the deep blue sea,' Williams said. 'Many of them don't have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.'
Finding a competitor might also prove challenging. While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics.
The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America's 100 largest school districts.
PowerSchool was acquired in October 2024 by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform Naviance, has acquired multiple smaller ed tech ventures, such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation's K-12 classrooms.
Williams is the author of the data privacy agreement central to the Wisconsin district's claims against PowerSchool. Created by the Student Data Privacy Consortium, a collaborative effort between school districts and technology vendors to keep students' information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — including PowerSchool — follow stringent security practices.
Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker.
PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC's reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession.
Through the agreements, PowerSchool also vowed to 'abide by and maintain adequate data security measures, consistent with industry standards' for the storage of sensitive records.
Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium.
'We just felt that at some point you have to police the process, at some point you have to draw a red line,' Williams told The 74. 'We've got to protect the contract because it protects schools and it protects kids. So that's not negotiable for us.'
Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.
'At this point their word, to us, can't be trusted,' Shinoff said. 'For them to have someone that they're reporting to for a period of time is something that's essential — especially when we're dealing with thousands and thousands of districts across the country.'
Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students' personal information out of the hands of malicious actors.
As an early adopter of a voluntary federal pledge to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide.
Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.
During the event, the company said it would provide free webinars, training videos and other resources to help schools better secure their systems.
In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 'relentless investment and focus on every element of security.'
Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson opened an investigation into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 'to determine if they broke any laws.'
The company is also facing bipartisan federal scrutiny. In a Feb. 21 letter, senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals.
'School district leaders who we have spoken with raised serious concerns about delays in your company's response to the cybersecurity incident, including delayed notifications to impacted schools,' wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach.
PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 'adult students and educators.' Keeber, the PowerSchool spokesperson, said in the statement the company has seen 'no evidence of fraud or further misuse of the information involved to date.'
But the senators wrote that PowerSchool 'has not clearly communicated a date by which impacted individuals will receive' the services.
'Your delayed and unclear communication is unacceptable,' the letter continued, 'especially given the sensitive nature of the personal data that was stolen.'
Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.
They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.
One federal lawsuit brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 'partners' with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot.
'The information PowerSchool takes from students is virtually unlimited,' the complaint alleges. 'It includes everything from education records and behavioral history to health data and information about a child's family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.'
In a motion to dismiss the lawsuit, PowerSchool's attorneys claimed Cherkin's complaint relied on 'broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.'
Related
Keebler, the company spokesperson, denied Cherkin's claims that it sells data or uses personal data to train its chatbots.
But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool's business model to that of social media companies that are built to amass and monetize user data.
'I'm truly not at all shocked that this happened,' she said of the breach. 'The only way, really, to keep data safe is to not collect it and stockpile it in the first place.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
4 hours ago
- Yahoo
Iowa restaurant chain paid its servers only tips, U.S. Department of Labor claims
The Mexico Lindo Grill & Cantina at 1857 Lower Muscatine Road in Iowa City is one of three Iowa restaurants accused of wage-and-hour violations by the U.S. Department of Labor. (Photo via Google Earth) A chain of Iowa-based Mexican restaurants is being sued by the federal government for allegedly paying some of its workers only the tips collected from customers. In a lawsuit filed in U.S. District Court for the Southern District of Iowa, the U.S. Department of Labor is alleging that Rocio Correa-Mata, 33, of Iowa City, as the sole owner and primary manager of the Mexico Lindo Grill & Cantina restaurant chain, violated the Fair Labor Standards Act of 1938. Mexico Lindo Grill & Cantina has locations in West Branch, Iowa City, and North Liberty. SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX The department alleges that certain servers at the restaurants were 'only paid via direct cash and credit tips from customers' and did not receive the federal minimum wage rate of $7.25 per hour. The chain also is alleged to have 'willfully and repeatedly' paid employees less than the statutory overtime rate of 1.5 times the workers' regular wages for all hours worked in excess of 40 hours per week. In addition, the department claims Mexico Lindo paid its 'back-of-the-house employees' – a term typically used to describe kitchen workers — a cash salary that was insufficient to compensate them for any overtime hours. According to the lawsuit, Mexico Lindo then failed to create and preserve accurate records of employees' hours and failed to document each worker's full name and Social Security number. The department alleges defendant Correa-Mata has actively managed and supervised Mexico Lindo's operations and employees from June 2015 through the present, overseeing the chain's daily operations, hiring and firing employees, establishing work schedules, and setting rates of pay at each location. The Department of Labor is seeking a court order enjoining Correa-Mata and the chain from 'continuing to withhold employees' unpaid minimum wages and overtime compensation,' as well as an order finding them liable for any unpaid wages, plus an equal amount in liquidated damages, payable to 25 different employees of the three Mexico Lindo locations. The Iowa Capital Dispatch was unable to reach Correa-Mata at home or at any of the Mexico Lindo restaurants. SUPPORT: YOU MAKE OUR WORK POSSIBLE
Yahoo
5 hours ago
- Yahoo
Boomers Aren't Planning for a 30+ Year Retirement: 3 Reasons This Is a Mistake
The average number of years spent in retirement continues to grow, but many boomers aren't planning to spend several decades in retirement. According to TIAA Institute's 'Retired for How Long?' report, most boomers (57%) plan to retire between ages 60 and 69 and nearly half (46%) believe they will live to age 90 or older. That means a significant portion of boomers will spend 30-plus years in retirement. Yet, only 9% are planning to spend that long in retirement. Find Out: Read Next: While not every boomer will be retired for over 30 years, here's why not planning for the possibility is a misstep. The biggest risk that comes along with not planning for longevity is that you will run out of money in retirement and won't have a way to replenish it. 'Underestimating the number of years you will live in retirement is like planning a cross-country road trip with only half a tank of gas in the car,' said Kourtney Gibson, CEO of TIAA Retirement Solutions. 'If you do not have enough gas, you will run out before you arrive at your destination. Planning for longevity in retirement is the same. If your planning horizon is too short, you will not have enough savings to last the duration of your retirement.' Many boomers don't take the duration of their retirement into account when planning for their golden years. 'You need to save enough money for the years you may actually live in retirement in order to have enough savings to last the duration of your retirement, yet many Americans are not saving enough because they lack longevity literacy or a basic understanding of how long they can live in retirement,' Gibson said. Learn More: Many Americans consider the risks of mental decline, market swings and inflation when planning for retirement, but don't put longevity risk on the same level. However, it's also one of the biggest risks to retirement security. 'Longevity risk is one of four risks that threatens retirement security, and probably one of the easiest risks to offset with proper planning,' Gibson said. When it comes to retirement planning, being overprepared is always better than being underprepared. 'Research shows life expectancy has increased by 17 years since the debut of Social Security nearly 90 years ago,' Gibson said. 'People are living longer, and longer lifespans mean they need retirement income to last as long as they do. The road to retirement security must include strategies that provide income for the span of our retirement, whether that is 20 years, 30 years or more. 'Every generation should plan and save for longer lifespans — not shorter ones,' she continued. 'That is the best way to prepare for longevity and offset the risk of running out of savings in retirement.' Setting yourself up for a 30-plus-year retirement can be a daunting task, but it's possible to achieve with proper planning. Even if you're already on the cusp of retirement, there are steps you can take now to ensure you are in a secure place financially for the duration of your time in retirement. Set goals for what you want your entire retirement to look like. 'Most people have a wish list of things they want to do when they retire, but what does life look like when you're 80, 85 or even 90 years old?' Gibson said. 'Do you see yourself still traveling the world? Are you living at home with family or with a caretaker?' Think about how you want to spend your time, not just in the early years of your retirement, but 20 years into it and beyond. 'Create a savings strategy that supports your dreams,' Gibson said. 'The earlier you begin the process, the more time your money has to grow, but there is still value in maximizing retirement plan contributions and taking advantage of your company's match, even in the ninth inning.' Products like annuities can help ensure you have a source of income throughout your retired life. 'For those closest to retirement age like baby boomers, preparing for retirement may feel like a race against the clock — but you still have time to protect your future,' Gibson said. 'Adding a source of guaranteed lifetime income to your retirement planning strategy protects your future by providing income that cannot be outlived. By converting your retirement savings into an annuity with guaranteed payments, you are creating an additional source of income that will last all through your golden years.' Planning for a lengthy retirement is easier to do when you have a financial expert on your side. 'Whether you take advantage of financial advice offered by your employer or work with an advice team through a reputable outside firm, getting advice from a trusted licensed financial advisor or professional as part of your retirement planning can improve retirement outcomes and readiness,' Gibson said, 'and can help at every stage of your retirement planning journey.' More From GOBankingRates Mark Cuban Warns of 'Red Rural Recession' -- 4 States That Could Get Hit Hard Mark Cuban Tells Americans To Stock Up on Consumables as Trump's Tariffs Hit -- Here's What To Buy 9 Downsizing Tips for the Middle Class To Save on Monthly Expenses This article originally appeared on Boomers Aren't Planning for a 30+ Year Retirement: 3 Reasons This Is a Mistake Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Business Wire
5 hours ago
- Business Wire
Object First Named Immutable Storage Company of the Year and Editor's Choice at Storage Awards
BEVERLY, Mass.--(BUSINESS WIRE)-- Object First, the creator of Ootbi (Out-of-the-Box-Immutability), the ransomware-proof backup storage appliance purpose-built for Veeam ®, was recognized for its innovation and industry leadership with two major honors at the 22nd annual Storage Awards Immutable Storage Company of the Year and Editor's Choice – Company. This is the second consecutive year Object First has been named the Immutable Storage Company of the Year, a category determined entirely by public vote—demonstrating continued trust and validation from the IT and cybersecurity community. Recent research with Enterprise Strategy Group shows that 81% of IT professionals agree that immutable storage built on Zero Trust is an organization's best defense against ransomware. The Editor's Choice – Company award recognizes Object First's growing impact in the backup storage market and its commitment to the channel. 'To be recognized by the public and the editorial community is an incredible honor and speaks to the strength of our product and our growing partner ecosystem,' said Daniel Fried, Senior Vice President of Sales, EMEA, Object First. 'As more organizations prioritize data security, customers and partners turn to immutable backup storage built on Zero Trust principles as the best defense against ransomware. We're committed to delivering the only secure, simple, and powerful backup storage solution purpose-built for the world's leading data resilience platform—Veeam.' Object First's Ootbi appliance makes immutable storage easy to deploy, scale, and manage, with no security expertise required. It is consistently tested for the highest levels of security by third-party organizations like NCC Group, built to follow CISA's Secure by Design principles, and ensures compliance readiness for directives like NIS2. The Storage Awards recognition adds to a year of notable accolades for Object First, including: About Object First Ransomware-proof and immutable out-of-the-box, Ootbi by Object First delivers secure, simple, and powerful backup storage for Veeam ® customers. The appliance can be racked, stacked, and powered in 15 minutes. Ootbi is built on immutable object storage technology designed and optimized for unbeatable backup and recovery performance. Eliminate the need to sacrifice performance and simplicity to meet budget constraints with Ootbi by Object First. To learn more, visit and follow Object First on its blog, LinkedIn, and X. Subscribe to its Zero Gravity podcast here.
