The Texas Attorney General’s Office has filed a lawsuit against PowerSchool, a California-based education technology provider, after a massive PowerSchool data breach exposed the personal information of more than 880,000 students and teachers in Texas.
The PowerSchool data breach, which occurred in December 2024, involved the theft of highly sensitive information, including names, addresses, Social Security numbers, medical and disability records, special education details, and even school bus stop locations. Officials warn that this level of exposure places children and educators at risk of identity theft and other security threats.
Court filings reveal that a hacker accessed PowerSchool’s systems through a subcontractor’s account that lacked adequate protections. With administrative-level access, the attacker was able to move large amounts of unencrypted data to a foreign server.
Scope of the PowerSchool data breach’s exposure
PowerSchool’s platform is used across the United States to manage student records, enrollment, and school operations. The company claims to serve roughly 18,000 districts or schools nationwide. In total, the PowerSchool data breach affected more than 62 million students and nearly 10 million teachers worldwide, with 6,500 clients directly impacted.
In Texas, 880,000 individuals had their information compromised.
Allegations against PowerSchool are harsh
The lawsuit alleges that PowerSchool violated the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act by misrepresenting the strength of its cybersecurity protections. Investigators say the company failed to implement basic safeguards, such as multi-factor authentication, access controls, and data encryption.
Attorney General Ken Paxton stated:
“Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused. If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong.”
The complaint points out that PowerSchool advertised its systems as meeting “the highest security standards,” a claim the state now says was false given the scale of the PowerSchool data breach.
PowerSchool acknowledged the data breach
PowerSchool has acknowledged that multi-factor authentication was not in place before the breach but has not issued a public comment on the Texas lawsuit. A Massachusetts college student has already pleaded guilty to carrying out the hack, but state officials argue PowerSchool remains responsible for failing to secure its platform.
The PowerSchool data breach is one of the largest incidents involving an education technology vendor. Experts note that the stolen records—particularly health and disability information—create long-term risks for those affected. The inclusion of bus stop data has drawn special concern over the safety of schoolchildren.
Texas officials have urged parents and teachers impacted by the PowerSchool data breach to monitor credit activity, bank accounts, and personal records for signs of misuse.
