Woods Lonergan PLLC Investigates Class Action Against PowerSchool for Massive Data Breach Potentially Exposing the Highly Sensitive Information of 62 Million Students and 9.5 Million Educators

NEW YORK, NY – [February 4, 2025] – Woods Lonergan PLLC, a leading complex litigation firm including class action lawsuits and data privacy litigation, is actively investigating a class action against PowerSchool, a major provider of K-12 education software, following a massive data breach that potentially exposed the personally identifiable information (PII) of over 62 Million students and 9.5 Million teachers across the United States and Canada now feared to be on the Dark Web. This breach potentially compromised an alarming amount of highly sensitive, confidential data of K-12 students, including:

Social Security Numbers, (SSN)
Home Addresses, Emails, Phone Numbers, and Emergency Contacts
Individualized Special Education Plans (IEPs and 504s, including Student Educational and Psychological Evaluations)
Confidential Medical Records
Disciplinary Records
Student Grades and Transcripts
Sensitive Custody Arrangements

If your child’s school district notified you of the PowerSchool data breach or posted a notice on their school district website, your child’s personal information may be compromised. Please call our law offices at (212) 684-2500 or Schedule a Confidential Consultation with our Data Breach Lawyers today.

Jump to a Topic

Details of the PowerSchool Data Breach and Alleged Negligence

PowerSchool discovered the data breach on December 28, 2024, during the end-of-year holiday break for many schools in the United States and Canada, but evidence suggests unauthorized access likely began earlier. The breach was executed through a compromised credential for a maintenance account with extensive access, a vulnerability exacerbated by PowerSchool’s alleged failure to implement multi-factor authentication. The data breach impacted PowerSchool’s PowerSource customer support portal and its Student Information System (SIS) databases, affecting millions of students and educators across thousands of school districts in the US and Canada. Importantly, this breach occurred during the holiday break period,when schools are typically closed or operating with reduced staff, creating a heightened risk of cyberattacks due to potentially reduced monitoring and slower response times.

The investigation indicates this failure constitutes negligence in PowerSchool’s handling of highly sensitive student and teacher data. Furthermore, it appears that PowerSchool’s inadequate monitoring for unauthorized access and delayed notification to affected individuals and authorities exacerbated the impact of the breach. This alleged negligence constitutes a violation of various state and federal privacy laws, including FERPA..

“‘The scope and sensitivity of the data compromised in this breach are deeply concerning,’ said Jim Woods, Managing Partner of Woods Lonergan PLLC. ‘According to K-12 Dive, the PowerSource portal lacked multi-factor authentication, [1] a basic security measure. SecurityWeek reports that 150 unique data fields per student and 97 per staff member were exfiltrated.[2] This is a clear violation of PowerSchool’s legal obligation to protect this data. We are committed to fighting for justice and compensation for the victims and ensuring that PowerSchool is held to the highest standards of data security.'”

Impact on Victims

The breach has put millions of students, teachers, and their families at risk of identity theft, financial fraud, and emotional distress. The potential exposure of sensitive information such as Social Security numbers, medical records, and educational records could have long-lasting adverse consequences for victims.

Legal Claims

The investigation is focused on potential violations of:

FERPA (Family Educational Rights and Privacy Act): Protecting student data privacy.
State Data Breach Notification Laws: Violations of relevant state laws.
Negligence: PowerSchool’s failure to adequately protect sensitive data.

Woods Lonergan PLLC is a leading New York-based litigation firm specializing in complex civil litigation, including class action data privacy and cybersecurity matters.Our law firm is currently representing plaintiffs in the 23andMe data Breach Lawsuit, wherein a proposed settlement of $30 million dollars is pending approval in the U.S. District Court for the Northern District of California. Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

[1] Anna Merod, PowerSchool data breach brings claims of negligence, poor cyberhygiene, K-12 Dive (Jan. 22, 2025), https://www.k12dive.com/news/powerschool-data-breach-lawsuits-negligence/737900/.

[2] Ionut Arghire, Millions Impacted by PowerSchool Data Breach, SecurityWeek (Jan. 24, 2025), https://www.securityweek.com/millions-impacted-by-powerschool-data-breach/.

About the Author

Andreas E. Christou is an Associate Attorney with Woods Lonergan PLLC, having joined in 2020. Andreas received his J.D. from St. John’s University School of Law and his B.A. in Political Science from Pace University. Previously, Andreas worked at a Queens-based law firm where he litigated in state and federal courts and primarily handled consumer bankruptcy, real estate litigation and commercial litigation matters. At Woods Lonergan, Andreas handles a variety of state and federal matters including bankruptcy, real estate litigation, specifically focused on representing the boards of condominium and cooperative communities in New York City, FLSA actions, personal injury, and general commercial and corporate litigation. If you have any questions regarding this blog, you can book a consultation with Andreas here.