Texas Attorney General Ken Paxton has filed a lawsuit against education software company PowerSchool following a major data breach that affected millions of students and faculty, including over 880,000 Texans. The lawsuit alleges that the company failed to protect sensitive information, violating the state’s Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. The breach, which was disclosed in January, stemmed from a subcontractor’s stolen credentials that were used to access PowerSchool’s customer support portal. Attackers were able to steal a wide range of personal data, including full names, addresses, phone numbers, passwords, Social Security numbers, and even medical information.
The breach occurred on December 19, 2024, and the attackers demanded a $2.85 million ransom in Bitcoin just nine days later. PowerSchool acknowledged in a private FAQ that it paid the ransom in an attempt to prevent the data from being disclosed. However, a later extortion attempt began in May, with a threat actor impersonating the notorious hacking group ShinyHunters and demanding ransoms directly from individual school districts. The extortionist threatened to leak the stolen student and teacher data if the schools didn’t pay up. This revealed a chaotic situation where the company’s initial ransom payment did not fully resolve the threat.
The lawsuit comes after a months-long saga of discovery and legal actions. According to Attorney General Paxton, PowerSchool’s security practices were inadequate, and the company was deceptive about its ability to protect the information it was entrusted with by families and schools. Paxton’s office stated, “If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong.” The lawsuit aims to hold the company accountable for putting Texans at risk and to ensure that companies handling sensitive data are held to a higher standard.
Further complicating the incident, a 19-year-old college student, Matthew D. Lane, pleaded guilty in May to orchestrating the massive cyberattack. He admitted to working with several conspirators to steal the data of millions and then attempt to extort money from the company and individual school districts. While Lane’s guilty plea sheds light on the identity of the person behind the attack, it does not absolve PowerSchool of its alleged role in failing to prevent the breach.
The incident also highlights the complexities of cybersecurity and the ongoing risks faced by institutions that manage vast amounts of personal data. A CrowdStrike investigation commissioned by PowerSchool revealed that the same compromised credentials used in the December breach were also used in earlier attacks in August and September of 2024. While the investigation could not definitively link all three breaches to the same attacker, it suggests a pattern of vulnerabilities that were not adequately addressed. The lawsuit by the Texas Attorney General underscores the legal and financial repercussions companies can face when a data breach of this magnitude impacts so many people.
Reference:
