麻豆精品

Get stories like this delivered straight to your inbox. Sign up for 麻豆精品 Newsletter

The St. Croix Falls, Wisconsin, school district against education software behemoth PowerSchool Tuesday, kicking into motion a national campaign to hold the company accountable for what cybersecurity experts predict is among the largest student data breaches in history. 

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students鈥� and 9.5 million educators鈥� personal information. Though the company hasn鈥檛 acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

鈥淎t the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,鈥� attorney William Shinoff, whose firm represents the St. Croix Falls district, told 麻豆精品 in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company 鈥渁cted swiftly and effectively to protect our customers in compliance with the law.鈥�

鈥淧owerSchool believes the claims are without merit and will defend itself,鈥� Keebler said. 鈥淗owever, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.鈥�

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach鈥檚 potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure 鈥� and failed to provide schools the services they were promised. 

鈥淎 cornerstone of the commercial relationship between鈥� the school district and the company was educators鈥� 鈥渞eliance on PowerSchool鈥檚 representation that it would adequately protect鈥� students鈥� and educators鈥� sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 鈥渉as done little to help鈥� the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 鈥渇ile thousands鈥� of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

鈥淲hat I can tell you is we鈥檝e already spoken to hundreds of districts,鈥� Shinoff said. 鈥淥ur hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.鈥� 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook鈥檚 and Instagram鈥檚 and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to 鈥渁n authorized support engineer鈥� to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August 鈥� months earlier than previously disclosed 鈥� but couldn鈥檛 say for certain it was by the same threat actors. 

The company 鈥渇ailed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,鈥� the complaint alleges. 鈥淪omething as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.鈥�

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to 麻豆精品, Keebler, the PowerSchool spokesperson, said the company 鈥渉as and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.鈥澛�

鈥淧owerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,鈥� the statement continued. 鈥淗owever, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.鈥� 

鈥楧evil and the deep blue sea鈥�

Despite PowerSchool鈥檚 promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told 麻豆精品. 

But because its student information system plays such a significant role in day-to-day operations 鈥� and contains so much information about students 鈥� he said that switching to a competitor could become a logistical nightmare. 

鈥淢any school districts are between the devil and the deep blue sea,鈥� Williams said. 鈥淢any of them don鈥檛 have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.鈥� 

While the company may not be a household name 鈥� save for a flood of recent press following the breach 鈥� its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America鈥檚 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation鈥檚 K-12 classrooms.

Williams is the author of the central to the Wisconsin district鈥檚 claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students鈥� information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with 鈥� 鈥� follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC鈥檚 reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to 鈥渁bide by and maintain adequate data security measures, consistent with industry standards鈥� for the storage of sensitive records. 

Williams accused the company of breaching those requirements 鈥� laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

鈥淲e just felt that at some point you have to police the process, at some point you have to draw a red line,鈥� Williams told 麻豆精品. 鈥淲e鈥檝e got to protect the contract because it protects schools and it protects kids. So that鈥檚 not negotiable for us.鈥� 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool 鈥� and court-ordered accountability 鈥� to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

鈥淎t this point their word, to us, can鈥檛 be trusted,鈥� Shinoff said. 鈥淔or them to have someone that they鈥檙e reporting to for a period of time is something that鈥檚 essential 鈥� especially when we鈥檙e dealing with thousands and thousands of districts across the country.鈥�

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security 鈥� and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students鈥� personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 鈥渞elentless investment and focus on every element of security.鈥� 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 鈥渢o determine if they broke any laws.鈥�

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

鈥淪chool district leaders who we have spoken with raised serious concerns about delays in your company鈥檚 response to the cybersecurity incident, including delayed notifications to impacted schools,鈥� wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 鈥渁dult students and educators.鈥� Keeber, the PowerSchool spokesperson, said in the statement the company has seen 鈥渘o evidence of fraud or further misuse of the information involved to date.鈥� 

But the senators wrote that PowerSchool 鈥渉as not clearly communicated a date by which impacted individuals will receive鈥� the services. 

鈥淵our delayed and unclear communication is unacceptable,鈥� the letter continued, 鈥渆specially given the sensitive nature of the personal data that was stolen.鈥�

Information PowerSchool takes is 鈥榲irtually unlimited鈥�

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 鈥減artners鈥� with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

鈥淭he information PowerSchool takes from students is virtually unlimited,鈥� the complaint alleges. 鈥淚t includes everything from education records and behavioral history to health data and information about a child鈥檚 family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.鈥�

In a motion to dismiss the lawsuit, PowerSchool鈥檚 attorneys claimed Cherkin鈥檚 complaint relied on 鈥渂road, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.鈥� 

Keebler, the company spokesperson, denied Cherkin鈥檚 claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals 鈥� and should have been a red flag all along. She compared Powerschool鈥檚 business model to that of social media companies that are built to amass and monetize user data. 

鈥淚鈥檓 truly not at all shocked that this happened,鈥� she said of the breach. 鈥淭he only way, really, to keep data safe is to not collect it and stockpile it in the first place.鈥�

Get stories like these delivered straight to your inbox. Sign up for 麻豆精品 Newsletter