Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool, a California-based education technology provider. Lawsuit is filed over a massive PowerSchool data breach that exposed the sensitive personal information of more than 880,000 Texas school-aged children and teachers.
The PowerSchool data breach, which occurred in December 2024, compromised data including names, addresses, Social Security numbers, medical details, disability records, special education information, and even school bus stop locations. Officials say the scope of the exposure puts children and educators at serious risk of identity theft and other security threats.
Details of the PowerSchool Data Breach
According to court filings, a hacker gained access to PowerSchool’s systems through a subcontractor’s account, which lacked adequate protections. With administrative-level access, the attacker was able to transfer large amounts of unencrypted data to a foreign server.
PowerSchool’s platform is widely used across the United States. The company provides cloud-based services for K-12 schools, including student information management, enrollment systems, and operational tools. It advertises itself as serving about 18,000 districts or schools nationwide, with 6,500 clients directly impacted by the hack.
In total, more than 62 million students and nearly 10 million teachers worldwide were affected. In Texas alone, the number of exposed individuals stands at 880,000.
Allegations Against PowerSchool
The Texas Attorney General’s Office alleges that PowerSchool violated both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. Investigators argue that PowerSchool misled customers about the strength of its cybersecurity measures and failed to implement even basic safeguards, such as multi-factor authentication, strict access controls, and data encryption.
“Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused,” Paxton said in a statement. “If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong. My office will do everything we can to hold PowerSchool accountable for putting Texas students, teachers, and families at risk.”
The lawsuit asserts that PowerSchool marketed its software as meeting “the highest security standards” and offering “state-of-the-art protections” while in reality failing to uphold those promises.
Response and Accountability
PowerSchool has acknowledged that its systems did not have multi-factor authentication in place before the breach. However, the company has not publicly commented on the Texas lawsuit. A spokesperson did not respond to inquiries this week.
Earlier this year, a Massachusetts college student pleaded guilty to carrying out the hack, though details of sentencing and restitution remain unclear. Despite this, Paxton’s office maintains that PowerSchool bears direct responsibility for the scale of the exposure due to its inadequate security practices.
Broader Impact
The lawsuit is among the most high-profile actions taken against a technology vendor in the education sector. With schools increasingly reliant on cloud-based services to manage student and employee information, the case highlights growing concerns about data protection and the responsibilities of third-party providers.
Cybersecurity experts note that the exposure of sensitive records—particularly health and disability data—creates long-term risks for children and educators alike. The inclusion of bus stop information in the stolen files has also raised alarm, as such details could be used to physically locate minors.
The Texas case adds to mounting pressure on PowerSchool, which has faced scrutiny from multiple states and districts since the breach. Regulators and school administrators are calling for stronger oversight of education technology companies that handle vast amounts of personal and sensitive data.
Looking Ahead
As the lawsuit moves forward, Paxton’s office has signaled its intent to seek penalties and stronger protections for Texas families. “We will pursue every avenue to ensure companies that handle children’s information are held to the highest standards,” Paxton said.
For parents and teachers impacted by the PowerSchool data breach, the Texas Attorney General’s Office has urged vigilance in monitoring accounts, credit activity, and personal records.
