Texas AG Sues PowerSchool Over Massive Student Data Breach Lawsuit — What Business Leaders Need to Know Now
Why is PowerSchool being sued by the Texas Attorney General?
Texas Attorney General Ken Paxton is suing PowerSchool for failing to protect student and teacher data, and for misleading customers about its security standards.
The lawsuit—now known publicly as the PowerSchool Data Breach Lawsuit—alleges violations of Texas’s Identity Theft Enforcement and Protection Act and the Deceptive Trade Practices Act.
PowerSchool claimed “state-of-the-art” security but failed to use basic protections like multi-factor authentication or encryption.
AG Paxton accuses the company of “gross negligence” in handling sensitive student data.
Read the Texas Attorney General press release for official details on the case.
What is the PowerSchool data breach and who was affected?
The PowerSchool Data Breach Lawsuit stems from a breach in December 2024 that exposed the data of over 880,000 Texans, including children, teachers, and school employees. Globally, more than 62 million students and 10 million educators were affected.
- The breach targeted PowerSchool’s student information systems used by thousands of districts.
- Texas was one of the hardest-hit states—fueling Paxton’s aggressive legal response.
- Victims include children with special needs, families with health data exposed, and schools facing fallout.
This was more than a tech issue—it was a systemic failure that triggered statewide legal action.
When did the PowerSchool breach happen and when did the lawsuit begin?
The breach occurred in mid-to-late December 2024, but the lawsuit wasn’t filed until September 2025, months after victims were notified.
- Breach began on or around December 19 and was detected on December 28
- Affected schools and individuals were informed in January 2025
- AG Paxton filed suit in September 2025, citing delays, poor transparency, and negligence
The timeline matters: it shows the gap between breach detection, response, and now, accountability through litigation.
What kind of data triggered this lawsuit?
What kind of data triggered this lawsuit?The lawsuit identifies unencrypted personal what-kindand sensitive data that should have been protected under multiple privacy laws:
- Full names, Social Security numbers (for some), phone numbers, and addresses
- Medical records, disability status, and IEP documentation
- School bus stop data, schedules, and attendance records
PowerSchool failed to use encryption or access control safeguards. The PowerSchool Data Breach Lawsuit hinges on their neglect of even basic managed security services practices.
What did the hackers demand, and why is that part of the legal issue?
PowerSchool paid a $2.85 million ransom to the attackers—a key fact cited in the lawsuit.
- Hackers demanded Bitcoin in exchange for not leaking the stolen data
- PowerSchool confirmed the payment after public pressure
- The ransom highlights how vulnerable the system was
- AG Paxton argues this ransom was the direct result of negligent security
The AG’s case draws a direct line: if PowerSchool had basic protections in place, there’d be no ransom, no breach, and no lawsuit.
What are the legal and business risks for affected schools, students, and teachers?
Paxton’s lawsuit details how victims now face identity theft, fraud, and personal security threats (especially children).
School districts using PowerSchool may also face compliance investigations and civil lawsuits.
- Identity theft and fraud (especially for minors)
- Physical safety risks from leaked transportation data
- Lawsuits or investigations into school districts that used PowerSchool
This lawsuit doesn’t just blame PowerSchool. It calls out poor vendor vetting, ineffective cybersecurity, and lack of organizational due diligence.
What should schools, districts, and businesses do right now to protect themselves?
The PowerSchool Data Breach Lawsuit is a wake-up call. Schools and businesses that rely on cloud platforms or third-party vendors must act:
Immediate steps:
- Notify individuals if you haven’t already
- Offer identity protection and credit monitoring
- Review cyber insurance policies and breach response plans
Ongoing protections:
- Require multi-factor authentication for all users and vendors
- Deploy 24/7 threat monitoring with endpoint security
- Audit vendor practices and require encryption
- Train staff on how to spot phishing scams
Waiting for a breach (or a lawsuit) is not a strategy.
How did PowerSchool’s security failures cause this lawsuit?
How did PowerSchool’s security failures cause this lawsuit?According to AG Paxton, PowerSchool ignored standard security practices and failed to protect against basic threats.
AG Paxton’s legal argument is clear: this breach wasn’t advanced, it was enabled by missing security fundamentals like MFA and encryption.
- A subcontractor’s credentials were compromised
- PowerSchool didn’t enforce MFA
- Sensitive data was stored unencrypted
The PowerSchool Data Breach Lawsuit claims this wasn’t a sophisticated hack. The lawsuit argues it was corporate negligence at the infrastructure level.
What laws did PowerSchool allegedly violate?
According to the legal filing:
- Texas Identity Theft Enforcement and Protection Act
- Texas Deceptive Trade Practices Act (DTPA)
These laws require businesses to protect personal data and to be truthful in their public claims. PowerSchool is accused of violating both—by failing to secure student data and misleading customers about its security capabilities.
Could the breach (and the lawsuit) have been avoided?
Yes. And that’s the heart of Paxton’s lawsuit.
- MFA would’ve blocked the initial unauthorized access
- Encryption would’ve made the data useless to hackers
- Vendor controls could’ve caught the compromised subcontractor
- Real-time detection would have caught lateral movement before data was stolen
The PowerSchool Data Breach Lawsuit argues this wasn’t bad luck. It was bad planning.
What happens next for PowerSchool and what can other businesses learn from it?
PowerSchool now faces prolonged legal battles, reputational damage, and possible regulatory oversight. But the bigger takeaway is what this means for your organization.
- Expect increased scrutiny on vendor security
- Schools and businesses may re-evaluate third-party tools
- CEOs and IT leaders must now prove due diligence
This case sets a precedent—and puts other organizations on notice.
How 7tech helps schools and businesses avoid lawsuits like PowerSchool’s
At 7tech, we don’t just respond to breaches. We prevent the ones that lead to lawsuits. Our Managed Security Services are designed to close the very gaps this case highlights.
We help clients:
- Enforce mandatory MFA across all access points
- Encrypt sensitive data at rest and in motion
- Monitor systems 24/7 with live threat analysts
- Audit vendor security posture
- Stay compliant with HIPAA, CMMC 2.0, FTC Safeguards, and more
If you’re concerned about your exposure or risk, book a free and confidential Essential Cybersecurity Audit today. 7tech will help you avoid headlines like this.
Click here to book your Cybersecurity Audit: https://www.7tech.com/cybersecurity-audit/
Neal Juern, CEO of 7tech, helps business leaders take control of their IT and strengthen cybersecurity without the complexity. Known for his straight-talk, business-first approach, Neal has guided hundreds of executives toward smarter, safer operations through Managed IT Services and Managed Security Services that make sense to people outside the IT department.
