TEXAS – Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool, a California-based provider of cloud-based services for K-12 schools, after an unprecedented data breach exposed the sensitive personal identifying information and protected health information of more than 880,000 Texas school-aged children and teachers.
According to Paxton, PowerSchool’s software collects, processes, and secures sensitive information that Texas schools require from parents enrolling their children and from their employees.
Recommended Videos
PowerSchool markets itself as an all-in-one platform for managing student information, enrollment, and other school operations, and promotes its software as meeting “the highest security standards” and offering “state-of-the-art protections” for student and employee data.
Paxton said, contrary to these claims, the company failed to implement the most basic security features, including multi-factor authentication, adequate access controls, and proper data encryption.
“The State has reason to believe that numerous Independent School Districts in Texas use PowerSchool’s SIS software to store PII, PHI, and other SPI, including but not limited to Dallas, Frisco, Plano, McKinney, Houston, Katy, Lovejoy, and more.”
Paxton said in December 2024, a hacker used a subcontractor’s account to gain administrative access and transferred large amounts of unencrypted data to a foreign server.
The stolen information included names, addresses, Social Security numbers, medical details, disability records, special education data, and bus stops—which can be used to physically locate Texas children.
The lawsuit alleges that PowerSchool’s failures violate both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act by misleading customers about its security practices and failing to take reasonable measures to protect sensitive information entrusted by Texas families and school districts.
“If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong,” said Attorney General Paxton. “Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused. My office will do everything we can to hold PowerSchool accountable for putting Texas students, teachers, and families at risk.”
The Houston Independent School District, the largest school district in Texas, uses HISD Connect by PowerSchool for Student Information System (SIS). The district says it contains information on student contact, enrollment, demographics, grades, and online resources. Parents of each student are given an access ID, which they can use to create an account to access their student’s profile through the parent portal. The school should contact parents whose students haven’t been provided with an access ID.
HISD says PowerSchool told the district that its data was not affected by the breach.
To learn more about the district’s use of PowerSchool, click here.
PowerSchool released the following statement regarding the lawsuit:
“From the moment PowerSchool became aware of this incident back in December of 2024, we worked nonstop to minimize any impact on students, families, educators, and school districts. We quickly notified relevant regulators on our customers’ behalf in applicable jurisdictions as well as students (or their parents/guardians) and educators in the U.S. and Canada. We continued supporting customers throughout our investigation, and offered complimentary identity protection services including, if applicable, credit monitoring services, for involved students and educators, regardless of whether an individual’s information was exfiltrated. On March 7, we shared the final CrowdStrike Incident Report with our customers and called out key learnings from the incident on our website. With respect to the lawsuit being filed by Texas’ Attorney General, PowerSchool intends to vigorously defend itself and to continue to prioritize the customers, communities, and individuals PowerSchool serves.”