Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach
The St. Croix Falls, Wisconsin, school district filed a federal lawsuit against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history.
The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, according to the hacker, led to a global breach of some 62.4 million students' and 9.5 million educators' personal information. Though the company hasn't acknowledged how many people were affected, exposed sensitive files reportedly include Social Security numbers, special education records and detailed medical information.
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
The St. Croix Falls lawsuit alleges breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.
'At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,' attorney William Shinoff, whose firm represents the St. Croix Falls district, told The 74 in an interview.
A Powerschool spokesperson didn't immediately respond to a request for comment Tuesday about the St. Croix Falls lawsuit.
Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft.
But because these center on the data breach's potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised.
'A cornerstone of the commercial relationship between' the school district and the company was educators' 'reliance on PowerSchool's representation that it would adequately protect' students' and educators' sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 'has done little to help' the school district and people whose information was compromised.
Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 'file thousands' of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown.
'What I can tell you is we've already spoken to hundreds of districts,' Shinoff said. 'Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they're reimbursed these public dollars that were spent for their programs.'
Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook's and Instagram's parent company Meta and the electronic cigarette company Juul. The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm.
Related
PowerSchool has acknowledged the hacker used a compromised password belonging to 'an authorized support engineer' to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to a draft cybersecurity audit and other records obtained by NBC News.
The full audit, released by the company last week, found its systems were breached in August — months earlier than previously disclosed — but couldn't say for certain it was by the same threat actors.
The company 'failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,' the complaint alleges. 'Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.'
The legally binding data privacy agreement that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was kicked off Feb 13.
Related
In an earlier statement to The 74, PowerSchool spokesperson Beth Keebler said the company 'has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.'
'PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,' the statement continued. 'However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.'
Despite PowerSchool's promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told The 74.
But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare.
'Many school districts are between the devil and the deep blue sea,' Williams said. 'Many of them don't have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.'
Finding a competitor might also prove challenging. While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics.
The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America's 100 largest school districts.
PowerSchool was acquired in October 2024 by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform Naviance, has acquired multiple smaller ed tech ventures, such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation's K-12 classrooms.
Williams is the author of the data privacy agreement central to the Wisconsin district's claims against PowerSchool. Created by the Student Data Privacy Consortium, a collaborative effort between school districts and technology vendors to keep students' information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — including PowerSchool — follow stringent security practices.
Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker.
PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC's reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession.
Through the agreements, PowerSchool also vowed to 'abide by and maintain adequate data security measures, consistent with industry standards' for the storage of sensitive records.
Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium.
'We just felt that at some point you have to police the process, at some point you have to draw a red line,' Williams told The 74. 'We've got to protect the contract because it protects schools and it protects kids. So that's not negotiable for us.'
Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.
'At this point their word, to us, can't be trusted,' Shinoff said. 'For them to have someone that they're reporting to for a period of time is something that's essential — especially when we're dealing with thousands and thousands of districts across the country.'
Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students' personal information out of the hands of malicious actors.
As an early adopter of a voluntary federal pledge to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide.
Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.
During the event, the company said it would provide free webinars, training videos and other resources to help schools better secure their systems.
In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 'relentless investment and focus on every element of security.'
Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson opened an investigation into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 'to determine if they broke any laws.'
The company is also facing bipartisan federal scrutiny. In a Feb. 21 letter, senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals.
'School district leaders who we have spoken with raised serious concerns about delays in your company's response to the cybersecurity incident, including delayed notifications to impacted schools,' wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach.
PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 'adult students and educators.' Keeber, the PowerSchool spokesperson, said in the statement the company has seen 'no evidence of fraud or further misuse of the information involved to date.'
But the senators wrote that PowerSchool 'has not clearly communicated a date by which impacted individuals will receive' the services.
'Your delayed and unclear communication is unacceptable,' the letter continued, 'especially given the sensitive nature of the personal data that was stolen.'
Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.
They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.
One federal lawsuit brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 'partners' with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot.
'The information PowerSchool takes from students is virtually unlimited,' the complaint alleges. 'It includes everything from education records and behavioral history to health data and information about a child's family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.'
In a motion to dismiss the lawsuit, PowerSchool's attorneys claimed Cherkin's complaint relied on 'broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.'
Related
Keebler, the company spokesperson, denied Cherkin's claims that it sells data or uses personal data to train its chatbots.
But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool's business model to that of social media companies that are built to amass and monetize user data.
'I'm truly not at all shocked that this happened,' she said of the breach. 'The only way, really, to keep data safe is to not collect it and stockpile it in the first place.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
21 minutes ago
- Yahoo
Pond Lehocky Expands Presence in Central Pennsylvania with Addition of Taylor Eckenrode
Eckenrode's practice will focus on workers' compensation and defending the rights of injured workers in Harrisburg and across the Commonwealth PHILADELPHIA, June 10, 2025 (GLOBE NEWSWIRE) -- Taylor Eckenrode, a rising legal talent in the worker's compensation sector, has joined Pond Lehocky Giordano's legal practice. Eckenrode will work out of the firm's Harrisburg and Lancaster offices, as part of the firm's continued expansion across Pennsylvania. Before coming to Pond Lehocky, Eckenrode practiced as a Civil Defense Litigator focusing on personal injury. She witnessed how large insurance companies handle claims related to injured persons, and as a result, was inspired to refocus her practice to help those who were injured. 'Taylor's commitment to standing up for injured workers aligns perfectly with the values upon which we've built this firm,' said Jerry Lehocky, founding partner of Pond Lehocky Giordano. 'We're confident she will be a strong addition as we continue fighting for clients across Pennsylvania.' 'Pond Lehocky Giordano is known for its commitment to standing up for injured workers,' said Eckenrode. 'I look forward to bringing my experience in injury and commercial law to the firm, as we continue to advocate for workers' rights.' Eckenrode's addition is part of the firm's broader expansion to offer workers across the state and country access to top quality legal services. Earlier this year, the firm added Jim Garver to lead its Altoona Office, and announced the opening of a new Lehigh Valley office. 'Taylor's arrival reflects our commitment to expanding our reach across Pennsylvania,' said Samuel Pond, managing partner of Pond Lehocky Giordano. 'As we grow our presence in Harrisburg and beyond, Taylor will play an important role in helping us better serve injured workers throughout the state.' Eckenrode earned her B.A. in Political Science from the University of Alabama and her J.D. from the University of Alabama School of Law. About Pond Lehocky Giordano: Pond Lehocky Giordano is a nationally recognized law firm dedicated to fighting for injured and disabled workers. With a strong presence throughout Pennsylvania, the firm has secured justice for thousands of clients in workers' compensation, Social Security disability and employment law cases. For more information, visit Media Contact:Buchanan Public Relations, pondlehocky@
New York Post
an hour ago
- New York Post
Major data breach exposes 86 million AT&T customer records, sparking identity theft fears: SSNs among details breached by hackers
AT&T has experienced a massive personal data breach, so if you're one of the more than 100 million people who use the company, you'll want to be on guard. According to a new report from Hack Read, more than 86 million customers have been affected with leaked details ranging from full names to dates of birth, phone numbers, email addresses and physical addresses. It's reported that more than 44 million Social Security Numbers were also included in the data leak. While each of these data sets poses privacy risks on their own, together they could create full identity profiles that could be exploited for fraud or identity theft. The stolen data is reportedly fully decrypted and was first posted to a Russian cybercrime forum on May 15 before being re-uploaded on the same forum on June 3. Hackers reportedly accessed data by getting into accounts that lacked multi-factor authentication, and this leak appears to be linked to an original hack by the ShinyHunters group in April 2024. 'It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain,' an AT&T spokesperson told Hack Read in a statement. 'We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.' The original seller of the exposed data claimed that this leak is 'originally one of the databases from the Snowflake breach' — but according to Hack Reads analysis, there are about 16 million more records in this breach than the previous one. The leak reportedly included full names, dates of birth, phone numbers, email addresses, physical addresses and social security numbers. AFP via Getty Images AT&T also acknowledged the security researchers' doubts that this breach was linked to the original 2024 breach. 'After analysis by our internal teams as well as external data consultants, we are confident this is repackaged data previously released on the dark web in March 2024,' the company said in a statement. 'Affected customers were notified at that time. We have notified law enforcement of this latest development.' If you're an AT&T customer, it's possible your personal and private data could be part of the new leak. Though if your data was leaked in this hack, it's likely because it was already unprotected in the August 2024 National Public Data breach, which exposed 'three decades' worth of Social Security numbers on the online black market.' 'After analysis by our internal teams as well as external data consultants, we are confident this is repackaged data previously released on the dark web in March 2024,' AT&T said in a statement. LightRocket via Getty Images To check if your information was leaked in that breach, you can check through Pentester, a cybersecurity firm, by going to and entering your information, which will allow you to see a list of your breached accounts. Security experts are also urging customers to keep an eye on their credit reports.
UPI
an hour ago
- UPI
DOGE results murky amid Elon Musk's exit
1 of 5 | Elon Musk and President Donald Trump take part in a press conference in the Oval Office at the White House in Washington, D.C., on May 30. Musk's work in the government has ended after five months and former White House staff have serious doubts about the Department of Government Efficiency self-reported results. File Photo by Francis Chung/UPI | License Photo June 10 (UPI) -- Elon Musk's work in the government has ended after five months and former White House staff have serious doubts about the Department of Government Efficiency self-reported results. To date, DOGE claims that it has saved the government about $180 billion by slashing the federal workforce, ending contracts, selling assets and cutting grant programs. However, its so-called "Wall of Receipts" is filled with questionable or inaccurate entries, according to Elaine Karmarck, senior fellow at the Brookings Institution. Karmarck led President Bill Clinton's Reinventing Government Initiative, a program that cut 426,000 civil servants from the federal payroll and cut federal and agency regulations. There are three metrics Karmarck told UPI she uses to measure how effective DOGE is. Some of those metrics will not be available until the next administration takes office on Jan. 20, 2029. The first metric is whether there are fewer people working in the federal government at the end of President Donald Trump's term. There are about 2.2 million federal employees, a number that -- despite narratives claiming the government continues to grow -- has been consistent for decades. In the 1940s, there were as many as 3 million federal employees. In the 1950s, there were about 2.5 million. In the 1980s, the number of federal employees increased back to about 3 million. It has remained between 2 and 3 million since. Federal judges have ruled that some federal employees DOGE advised to be fired must be rehired. Musk also said that it has made mistakes in some layoffs, including laying off employees with the National Nuclear Safety Administration who are responsible for the safekeeping of the U.S. nuclear stockpile. The second metric is whether there are fewer government contracts and fewer dollars spent on those contracts. DOGE lists more than 11,000 contract terminations totaling $34 billion in savings. It says more than 15,000 grants have been terminated resulting in about $44 billion in savings. Third is the government's performance as measured by economic markers such as the Bureau of Labor Statistics' unemployment reports as well as people's own experiences receiving government services. "That's a biggie. In other words, you can cut the government but if you have airplanes crashing and you have massive mix ups in Social Security checks, nobody is going to be applauding you for this," Karmarck said. DOGE's goal has been to cut about $2 trillion in federal spending. UPI reached out to the White House Press Office and Tesla's press office for interviews or comments. Neither responded to the requests. About a quarter of the government's budget is discretionary spending, meaning spending that is subject to appropriations by Congress. It amounts to less than $2 trillion. In fiscal year 2024, discretionary outlays totaled about $1.8 trillion. The rest of the budget is mandatory spending, also known as direct spending. This funding goes toward programs like Social Security, Medicare, veterans' benefits and other programs. Jenny Mattingly, vice president of government affairs for Partnership for Public Service, told UPI it would be difficult to reach DOGE's goal without cutting into mandatory spending. "Most of the U.S. budget is this mandatory, non-discretionary spending," Mattingly told UPI. "Just a small portion, comparatively, goes to the federal workforce." While the number of federal employees has remained relatively consistent, Mattingly notes that there are fewer federal employees per capita as the population has grown. "When you look at the U.S. population, that's exploded," she said. "So we actually have fewer federal employees per capita than in the past and they're doing an enormously greater magnitude and scope of work than the federal government did, say 30, 40, 100 years ago. What Congress and administrations have authorized the government to do is far greater and far more complex than it was." Measuring DOGE's progress five months in remains a challenge. The most recent date that DOGE updated its payment statistics or "receipts" was May 13. At that time, less than half of those receipts were itemized. The most cost savings, indicated by DOGE's "Agency Efficiency Leaderboard," have come from the Department of Health and Human Services, followed by the General Services Administration, the Department of Education and the Office of Personnel Management. "The list they put on the DOGE website turns out to be about 40% inaccurate," Karmarck told UPI. "We can't take their word for it. They were very sloppy. They made no effort at transparency other than a website which just has a list of things." An example of the inaccuracies shared by Karmarck is that DOGE has taken credit for ending contracts that ended before Trump was inaugurated. Faith Williams, director of the Effective and Accountable Government Program for Project on Government Oversight, agrees that DOGE's website cannot be trusted based on its inaccuracies and a lack of transparency. Inaccuracies have been brought to DOGE's attention on social media and it has made some corrections, though questions remain about its transparency. "Transparency has been an issue since day one," Williams told UPI. "This is an example of where DOGE has the power of a cabinet-level agency when it wants to but doesn't have to recordkeep when it doesn't want to. DOGE gets to be whatever is convenient in the moment." Musk's initial role -- as stated by him and Trump -- was to lead DOGE in an effort to tackle waste, fraud and abuse in the federal government for the purpose of making it run more efficiently. The White House later downplayed his direct role with DOGE, referring to him as an adviser to the president. The murkiness of Musk's true role in DOGE underlines why Williams has concerns about its structure, mission and lack of transparency. She has been investigating the office since it began, looking into its structure, who works for DOGE and its potential conflicts of interest. "One thing we learned fairly early on DOGE, its structure was very questionable. It was very opaque and it was opaque by design," Williams said. "That opacity really helped shield it and its actors and its actions from any kind of accountability, whether that's from members of the public or even congressional accountability or even in the courts." "Who led DOGE and worked at DOGE was one thing one day and a different thing on a different day depending on what was advantageous," she continued. Project on Government Oversight filed a lawsuit against DOGE over its lack of recordkeeping made available to the public and accessing sensitive records. DOGE faces lawsuits from other organizations related to its alleged lack of compliance with the Freedom of Information Act. In March, U.S. District Court Judge Casey Cooper ruled that DOGE's records are likely subject to the Freedom of Information Act. This was in response to a lawsuit by the government watchdog group Citizens for Responsibility and Ethics in Washington. There are several more lawsuits against DOGE related to its handling of data, compliance with FOIA and methods of cutting federal workers. In contrast, Karmarck's Reinventing Government Initiative did not face any litigation. "The reason we had no lawsuits is we followed the law," she said. "We passed a buyout bill so we had the congressional authority for buying people out. We simply followed the law." Instead of recommending Congress take actions like laying off federal employees or rescinding funds it has approved, DOGE has taken unilateral actions resulting in lawsuits. Funding approved by Congress requires congressional action to end. DOGE is not a congressionally approved agency, as a president cannot unilaterally create a new agency. He can create a new office, as past presidents have done. The authority of that office to take actions is limited, making it closer to an adviser than a federal agency. Accessing federal data systems and making changes is among the actions DOGE has taken that have raised the greatest concerns. Beth Noveck was the founding director of the White House's Open Government Initiative, a program started under President Barack Obama's administration that focused on using technology and data to modernize and improve government operations. She is currently the director of the Governance Lab and its MacArthur Research Network on Opening Governance at New York University. Noveck told UPI oversight on DOGE is past overdue, due to reports of the data it has accessed or attempted to access, including Medicare and Medicaid payment data, Social Security records, student loan data and the Office of Personnel Management systems. "Who has access and how it is being used is something we need an accounting of," Noveck said. "It's concerning and it seems that we're giving access to the likes of Palantir [Technology] to combine data that will effectuate mass surveillance and control. The risk is not just a failed attempt at cost savings, it's a successful attempt at authoritarian overthrow." The main tenets of DOGE are not new, evidenced by the work Noveck and Karmarck did for past administrations. There are nonpartisan government oversight entities that existed before Trump's current term as well, including the Office of Government Ethics and the inspectors general. However, shortly after Trump returned to office he fired the head of the Office of Government Ethics and 18 inspectors general. Last week, Sen. Elizabeth Warren, D-Mass., released a report on Musk's 130 days working in the government. The report alleges that Musk used his position to direct lucrative government contracts toward himself and his companies SpaceX, Tesla, Boring Company and Starlink. Amid an online feud with Musk following his departure as a White House Adviser, Trump has threatened to cancel all contracts with his companies. Warren's report also alleges that Musk and DOGE undercut agencies responsible for regulating his businesses and stopped enforcement actions against them.
