Texas Sues PowerSchool Over Data Breach Affecting 62M Students
▼ Summary
– Texas Attorney General Ken Paxton has sued PowerSchool over a December 2024 data breach that exposed personal information of 62 million students, including over 880,000 Texans.
– The breach occurred via a subcontractor’s stolen credentials and resulted in the theft of sensitive data like names, addresses, Social Security numbers, and medical information.
– A ransom of $2.85 million in Bitcoin was demanded, and PowerSchool paid to prevent data disclosure, though extortion attempts against schools continued later.
– Matthew D. Lane, a 19-year-old, pleaded guilty to orchestrating the cyberattack and attempting to extort millions of dollars.
– PowerSchool faced additional breaches in August and September 2024, with investigations unable to confirm if the same attacker was responsible for all incidents.
The state of Texas has taken legal action against education technology firm PowerSchool following a major data breach that compromised the personal details of millions of students, including hundreds of thousands in Texas. Attorney General Ken Paxton filed the lawsuit, asserting that the company failed to adequately protect sensitive information belonging to students, parents, and educators.
PowerSchool provides cloud-based software solutions to K-12 educational institutions, serving more than 18,000 customers and supporting over 60 million students globally. In December 2024, an unauthorized individual gained access to the company’s PowerSource customer support portal using stolen credentials from a subcontractor. The intruder exfiltrated a vast array of personal data, including full names, physical addresses, phone numbers, passwords, parent contact details, Social Security numbers, and medical records.
On December 28, the attacker demanded a ransom of $2.85 million in Bitcoin, threatening to release the stolen information. According to initial reports, the breach affected approximately 62.4 million students and 9.5 million teachers across 6,505 school districts in the United States, Canada, and other nations.
The Texas Attorney General’s office accused PowerSchool of violating both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. Officials stated that the company misled customers regarding its security protocols and neglected to implement reasonable safeguards for the highly sensitive data entrusted to it by Texas families and school districts.
In a public statement, Paxton emphasized, “If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong. Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused.” He vowed to pursue accountability for the company’s lapses.
PowerSchool reportedly paid the ransom to prevent public disclosure of the data and received a video from the attacker purportedly showing the destruction of the stolen files. However, in early May, an individual claiming affiliation with the well-known hacking group ShinyHunters began contacting school districts directly, threatening to release the data unless additional payments were made.
Investigations later revealed that this individual was not actually part of ShinyHunters but was impersonating the group in an attempt to extort money using data stolen in an earlier September 2024 breach. Shortly afterward, 19-year-old Matthew D. Lane from Massachusetts pleaded guilty to orchestrating the cyberattack with several accomplices and attempting to extort millions of dollars.
A CrowdStrike investigation commissioned by PowerSchool confirmed that threat actors had breached the PowerSource portal on three separate occasions in 2024, August, September, and December, using the same compromised credentials. However, the cybersecurity firm found no conclusive evidence linking the same attacker to all three incidents.
(Source: Bleeping Computer)
