Tenn. School System Sues PowerSchool Over Hacking
A Tennessee public school system sued software provider PowerSchool over a breach in December 2024 where hackers stole student and teacher data. The complaint alleges breach of contract, false advertising and negligence as a result of personal information being accessed by bad actors.
Sign up for a free preview to unlock the rest of this article
“PowerSchool maintains a website that contained a Global Privacy Statement,” the complaint said. “In this Statement, PowerSchool advertised to users that PowerSchool was ‘committed to protecting [users’] personal information’ and that it ‘endeavors to align its privacy and security operations to best practices and relevant international regulations.’ This representation was one on which school districts, including Plaintiff, reasonably relied,” but “PowerSchool failed to live up to its promise.”
Case 25-01153, filed in the U.S. District Court for Southern California, alleges that the hackers claimed to have accessed the personally identifiable information (PII) of 62.4 million students and 9.5 million teachers, including at least 485,267 former and current students and at least 23,903 staff and faculty in Memphis-Shelby County Schools, despite the school system paying PowerSchool $21 million since 2013 for its services.
“PowerSchool failed to uphold its end of the bargain to safeguard and protect students' personal information," said William Shinoff, a trial attorney at Frantz Law Group, representing the Tennessee school district, in a press release. "The education community reasonably relied on PowerSchool's claims of privacy and security, but the software provider breached numerous contractual and legal duties it owed Memphis-Shelby schools and other districts across the country."
The complaint also claims PowerSchool didn't begin to notify school districts about the breach, which occurred on Dec. 20, 2024, and was discovered by the company on Dec. 28, until Jan. 7, 2025. And it said the company hasn't “directly communicated with many of the victims of the Data Breach to notify them of the attack" or "informed the victims about what PII was stolen.”
PowerSchool was earlier sued in a class action in January in the U.S. District Court for Eastern California over the breach (see 2501220057). At the time, the software company said it was working on resolving issues stemming from the incident (see 2501220093). Also, North Carolina Attorney General Jeff Jackson (D) (see 2502060055) and Canadian Privacy Commissioner Philippe Dufresne are separately investigating the breach (see 2502110031).
In an emailed response to Privacy Daily, PowerSchool said it could not comment on active litigation, but is focused on working directly with customers on this matter. The company also has a web page on its site addressing the cybersecurity incident, published May 7. It acknowledges that PowerSchool “made the decision to pay a ransom” to the hackers following the discovery of the December data breach because it “believed it to be in the best interest of our customers and the students and communities we serve.”
“It was a difficult decision, and one which our leadership team did not make lightly,” the company said. “But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”