Texas Lawyer Common Ken Paxton has filed a lawsuit towards schooling software program firm PowerSchool, which suffered a large data breach in December that uncovered the non-public info of 62 million college students, together with over 880,000 Texans.
PowerSchool is a cloud-based software program options supplier for Okay-12 colleges and districts, with greater than 18,000 prospects and supporting over 60 million college students worldwide.
In January, the schooling software program big disclosed that its PowerSource buyer help portal was breached on December 19, 2024, utilizing a subcontractor’s stolen credentials. The attacker demanded a $2.85 million ransom in Bitcoin on December 28, 2024, after stealing the total names, bodily addresses, telephone numbers, passwords, guardian info, contact particulars, Social Safety numbers, and medical information of impacted college students and college.
As BleepingComputer first reported, the menace actor behind the December 2024 PowerSchool breach claimed to have stolen the non-public information of 62.4 million college students and 9.5 million academics from 6,505 faculty districts throughout the U.S., Canada, and different nations.
“PowerSchool’s failures violate each the Texas Misleading Commerce Practices Act and the Identification Theft Enforcement and Safety Act by deceptive prospects about its security practices and failing to take cheap measures to guard delicate info entrusted by Texas households and faculty districts,” the Workplace of the Lawyer Common of Texas stated.
“If Massive Tech thinks they will revenue off managing kids’s information whereas reducing corners on security, they’re lifeless mistaken. Dad and mom ought to by no means have to fret that the data they supply to enroll their kids in class could possibly be stolen and misused. My workplace will do all the things we will to carry PowerSchool accountable for placing Texas college students, academics, and households in danger,” Lawyer Common Paxton added on Wednesday.
Attacker extorts colleges, pleads responsible
In a personal FAQ shared with prospects and reviewed by BleepingComputer on the time, PowerSchool acknowledged that it had made a ransom fee to cease the info from being disclosed and obtained a video from the attacker claiming that the stolen information had been erased.
Nevertheless, the menace actor didn’t hold their promise, because it started individually extorting faculty districts in early Might, threatening to launch the beforehand stolen scholar and trainer information if a ransom was not paid.
Later that month, 19-year-old faculty scholar Matthew D. Lane from Worcester, Massachusetts, pleaded responsible to orchestrating the large cyberattack on PowerSchool with the assistance of a number of different conspirators and making an attempt to extort hundreds of thousands of {dollars} in alternate for not leaking the stolen information of hundreds of thousands.
Based on faculty notices and a DataBreaches.web report, the ransom calls for despatched to highschool districts claimed to be from ShinyHunters, a high-profile group of menace actors linked to a variety of breaches that had impacted lots of of hundreds of thousands of individuals.
In March, PowerSchool additionally printed a CrowdStrike investigation into the incident, which revealed that menace actors had additionally breached PowerSource in August and September 2024, utilizing the identical compromised credentials. Nevertheless, the cybersecurity firm was unable to search out proof that the identical attacker was liable for all three breaches.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
