Texas Legal professional Normal Ken Paxton has filed a lawsuit in opposition to schooling software program firm PowerSchool, which suffered a large knowledge breach in December that uncovered the private data of 62 million college students, together with over 880,000 Texans.
PowerSchool is a cloud-based software program options supplier for Ok-12 faculties and districts, with greater than 18,000 prospects and supporting over 60 million college students worldwide.
In January, the schooling software program large disclosed that its PowerSource buyer assist portal was breached on December 19, 2024, utilizing a subcontractor’s stolen credentials. The attacker demanded a $2.85 million ransom in Bitcoin on December 28, 2024, after stealing the total names, bodily addresses, cellphone numbers, passwords, guardian data, contact particulars, Social Safety numbers, and medical knowledge of impacted college students and school.
As BleepingComputer first reported, the risk actor behind the December 2024 PowerSchool breach claimed to have stolen the private knowledge of 62.4 million college students and 9.5 million lecturers from 6,505 faculty districts throughout the U.S., Canada, and different nations.
“PowerSchool’s failures violate each the Texas Misleading Commerce Practices Act and the Id Theft Enforcement and Safety Act by deceptive prospects about its safety practices and failing to take affordable measures to guard delicate data entrusted by Texas households and college districts,” the Workplace of the Legal professional Normal of Texas stated.
“If Massive Tech thinks they will revenue off managing kids’s knowledge whereas reducing corners on safety, they’re useless incorrect. Mother and father ought to by no means have to fret that the data they supply to enroll their kids at school may very well be stolen and misused. My workplace will do every little thing we are able to to carry PowerSchool accountable for placing Texas college students, lecturers, and households in danger,” Legal professional Normal Paxton added on Wednesday.
Attacker extorts faculties, pleads responsible
In a personal FAQ shared with prospects and reviewed by BleepingComputer on the time, PowerSchool acknowledged that it had made a ransom fee to cease the info from being disclosed and acquired a video from the attacker claiming that the stolen knowledge had been erased.
Nevertheless, somebody claiming to be ShinyHunters started individually extorting faculty districts in early Could, threatening to launch the beforehand stolen scholar and instructor knowledge if a ransom was not paid.
The chief of ShinyHunters claimed to BleepingComputer that this particular person was an affiliate falsely impersonating the hacking group, who tried to re-extort PowerSchool with knowledge stolen in an earlier September 2024 breach seen by CrowdStrike.
Later that month, 19-year-old school scholar Matthew D. Lane from Worcester, Massachusetts, pleaded responsible to orchestrating the large cyberattack on PowerSchool with the assistance of a number of different conspirators and making an attempt to extort hundreds of thousands of {dollars} in change for not leaking the stolen knowledge of hundreds of thousands.
In line with faculty notices and a DataBreaches.web report, the ransom calls for despatched to high school districts claimed to be from ShinyHunters, a high-profile group of risk actors linked to a wide selection of breaches that had impacted a whole lot of hundreds of thousands of individuals.
In March, PowerSchool additionally revealed a CrowdStrike investigation into the incident, which revealed that risk actors had additionally breached PowerSource in August and September 2024, utilizing the identical compromised credentials. Nevertheless, the cybersecurity firm was unable to search out proof that the identical attacker was liable for all three breaches.
Replace 9/4/25: Added details about ShinyHunters affiliate.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
