Texas Attorney General Ken Paxton has launched a legal broadside against education tech giant PowerSchool following a massive data breach that’s left the personal information of more than 880,000 Texas students and teachers exposed to hackers.
The December 2024 breach, which cybersecurity experts have described as approaching a “worst-case scenario,” occurred when hackers gained administrative access through a subcontractor’s compromised account. The breach exposed an alarming range of sensitive, unencrypted data: names, addresses, Social Security numbers, medical information, disability records, special education plans, and even students’ bus stop locations — essentially a complete digital dossier of vulnerable school children across the state.
Security Promises vs. Reality
“If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong,” Paxton said in a statement about the lawsuit. “Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused. My office will do everything we can to hold PowerSchool accountable for putting Texas students, teachers, and families at risk,” he declared.
The lawsuit alleges PowerSchool violated both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. At issue is the stark contrast between the company’s marketing claims and its actual security practices. While PowerSchool publicly boasted about meeting “the highest security standards” with “state-of-the-art protections,” investigators found the company had failed to implement even basic security measures such as multi-factor authentication, proper access controls, and adequate data encryption, according to sources familiar with the case.
How widespread is PowerSchool’s reach? The company serves more than 75% of students across North America, making it the dominant player in K-12 educational software. This ubiquity is precisely what makes the breach so concerning to privacy advocates and parents alike. The compromised credentials allowed hackers access to the PowerSource customer support portal, affecting millions of students and teachers nationwide, not just in Texas, as documented by cybersecurity researchers.
Growing Legal Challenges
Texas isn’t alone in taking legal action. Memphis-Shelby County Schools filed their own lawsuit in May 2025 after facing extortion threats related to the stolen data. Curiously, despite these legal challenges, the Memphis-Shelby County School Board subsequently renewed PowerSchool’s contract — a decision that has raised eyebrows among privacy advocates and observers.
Perhaps most troubling, reports indicate PowerSchool paid a ransom to hackers who allegedly promised to delete the stolen data — a practice cybersecurity experts generally discourage as it provides no guarantee the information won’t be copied or sold elsewhere.
The Texas lawsuit seeks significant penalties against PowerSchool, though the precise amount hasn’t been disclosed. Under Texas law, violations of the Identity Theft Enforcement and Protection Act can result in penalties up to $50,000 per violation.
For parents and educators, the breach represents yet another chapter in the ongoing tension between educational technology’s benefits and its risks. While digital tools have revolutionized classroom management and student assessment, they’ve also created massive repositories of sensitive information that, when breached, can have life-altering consequences for vulnerable young people.
As one cybersecurity expert put it, this breach represents “close to a ‘worst-case scenario'” given PowerSchool’s dominance in the education sector. With personal data that could facilitate identity theft, medical fraud, or even physical stalking now potentially in criminal hands, the full impact of this breach may not be known for years to come.
