Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach

Yahoo

11-03-2025

The St. Croix Falls, Wisconsin, school district filed a federal lawsuit against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history.
The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, according to the hacker, led to a global breach of some 62.4 million students' and 9.5 million educators' personal information. Though the company hasn't acknowledged how many people were affected, exposed sensitive files reportedly include Social Security numbers, special education records and detailed medical information.
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter
The St. Croix Falls lawsuit alleges breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.
'At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,' attorney William Shinoff, whose firm represents the St. Croix Falls district, told The 74 in an interview.
A Powerschool spokesperson didn't immediately respond to a request for comment Tuesday about the St. Croix Falls lawsuit.
Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft.
But because these center on the data breach's potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised.
'A cornerstone of the commercial relationship between' the school district and the company was educators' 'reliance on PowerSchool's representation that it would adequately protect' students' and educators' sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 'has done little to help' the school district and people whose information was compromised.
Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 'file thousands' of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown.
'What I can tell you is we've already spoken to hundreds of districts,' Shinoff said. 'Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they're reimbursed these public dollars that were spent for their programs.'
Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook's and Instagram's parent company Meta and the electronic cigarette company Juul. The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm.
Related
PowerSchool has acknowledged the hacker used a compromised password belonging to 'an authorized support engineer' to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to a draft cybersecurity audit and other records obtained by NBC News.
The full audit, released by the company last week, found its systems were breached in August — months earlier than previously disclosed — but couldn't say for certain it was by the same threat actors.
The company 'failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,' the complaint alleges. 'Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.'
The legally binding data privacy agreement that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was kicked off Feb 13.
Related
In an earlier statement to The 74, PowerSchool spokesperson Beth Keebler said the company 'has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.'
'PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,' the statement continued. 'However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.'
Despite PowerSchool's promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told The 74.
But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare.
'Many school districts are between the devil and the deep blue sea,' Williams said. 'Many of them don't have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.'
Finding a competitor might also prove challenging. While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics.
The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America's 100 largest school districts.
PowerSchool was acquired in October 2024 by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform Naviance, has acquired multiple smaller ed tech ventures, such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation's K-12 classrooms.
Williams is the author of the data privacy agreement central to the Wisconsin district's claims against PowerSchool. Created by the Student Data Privacy Consortium, a collaborative effort between school districts and technology vendors to keep students' information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — including PowerSchool — follow stringent security practices.
Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker.
PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC's reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession.
Through the agreements, PowerSchool also vowed to 'abide by and maintain adequate data security measures, consistent with industry standards' for the storage of sensitive records.
Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium.
'We just felt that at some point you have to police the process, at some point you have to draw a red line,' Williams told The 74. 'We've got to protect the contract because it protects schools and it protects kids. So that's not negotiable for us.'
Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.
'At this point their word, to us, can't be trusted,' Shinoff said. 'For them to have someone that they're reporting to for a period of time is something that's essential — especially when we're dealing with thousands and thousands of districts across the country.'
Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students' personal information out of the hands of malicious actors.
As an early adopter of a voluntary federal pledge to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide.
Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.
During the event, the company said it would provide free webinars, training videos and other resources to help schools better secure their systems.
In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 'relentless investment and focus on every element of security.'
Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson opened an investigation into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 'to determine if they broke any laws.'
The company is also facing bipartisan federal scrutiny. In a Feb. 21 letter, senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals.
'School district leaders who we have spoken with raised serious concerns about delays in your company's response to the cybersecurity incident, including delayed notifications to impacted schools,' wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach.
PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 'adult students and educators.' Keeber, the PowerSchool spokesperson, said in the statement the company has seen 'no evidence of fraud or further misuse of the information involved to date.'
But the senators wrote that PowerSchool 'has not clearly communicated a date by which impacted individuals will receive' the services.
'Your delayed and unclear communication is unacceptable,' the letter continued, 'especially given the sensitive nature of the personal data that was stolen.'
Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.
They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.
One federal lawsuit brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 'partners' with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot.
'The information PowerSchool takes from students is virtually unlimited,' the complaint alleges. 'It includes everything from education records and behavioral history to health data and information about a child's family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.'
In a motion to dismiss the lawsuit, PowerSchool's attorneys claimed Cherkin's complaint relied on 'broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.'
Related
Keebler, the company spokesperson, denied Cherkin's claims that it sells data or uses personal data to train its chatbots.
But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool's business model to that of social media companies that are built to amass and monetize user data.
'I'm truly not at all shocked that this happened,' she said of the breach. 'The only way, really, to keep data safe is to not collect it and stockpile it in the first place.'