The December 2024 breach exposed the personal information of 62 million students, over 880,000 from Texas alone.
Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool, accusing the education software provider of failing to protect student data and misleading the public about its security practices. The breach in December 2024 exposed the personal information of more than 62 million students and 9.5 million teachers worldwide, including over 880,000 individuals from Texas.
The attacker reportedly used credentials stolen from a subcontractor to access PowerSchool’s PowerSource customer support portal. A $2.85 million ransom was demanded on December 28. The stolen data included full names, addresses, Social Security numbers, phone numbers, passwords, medical information, and parental contact details.
PowerSchool provides cloud-based solutions to over 18,000 K–12 schools and districts. In a private FAQ shared with customers, the company admitted to paying a ransom and receiving a video showing that the data had allegedly been deleted.
However, by May 2025, new extortion attempts emerged. Multiple school districts received ransom demands from someone claiming to be part of the ShinyHunters hacking group. The individual threatened to release the stolen data unless additional payments were made.
Later, the attacker was identified as 19-year-old Matthew D. Lane, a Massachusetts college student who pleaded guilty to orchestrating the breach. According to investigators, the breach timeline extended back to August and September 2024, when PowerSource was first compromised using the same credentials.
Texas officials say PowerSchool violated the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. Paxton’s office criticized PowerSchool for “cutting corners on security” and misleading parents and school districts.
“If Big Tech thinks they can profit off managing children's data while cutting corners on security, they are dead wrong,” Paxton said.
PowerSchool has not publicly disputed the ransom amount and has not commented further on the lawsuit, deferring to the U.S. Attorney’s Office.
The Texas Attorney General alleges PowerSchool violated the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act due to misleading statements and inadequate data protection.
The attacker accessed PowerSource using stolen subcontractor credentials, which were reportedly not adequately secured or monitored across multiple months.
Impacted districts typically receive direct breach notifications. Some also publish data incident updates on their websites or contact families directly through school communication channels.
ShinyHunters is a well-known cybercrime group. While someone used their name in follow-up extortion attempts, the group later claimed this individual was an impersonator acting independently.