North Carolina Attorney General Jeff Jackson is turning up the heat on education technology giant PowerSchool in the wake of a wide-reaching data breach that compromised the personal information of millions of students, parents, and educators. In a rare move, Jackson issued a Civil Investigative Demand (CID) seeking comprehensive answers about what went wrong and how the company plans to fix it. If you’ve been following our edtech privacy litigation series you will know that privacy violations and lawsuits are gaining a lot of traction in the education space and the best way to resolve this is to use CaptainCompliance.com’s privacy software tools.
The Fallout from the 2024 PowerSchool Breach
The breach, first disclosed in late 2024, sent shockwaves through school districts across the U.S. The exposed data includes full names, home addresses, Social Security numbers, academic records, and even medical information in some cases. Nearly 4 million North Carolina residents were affected, with other states also reporting large-scale exposure. The scope of the breach raised alarm not only because of the sensitivity of the data, but because so many of the victims are minors.
Perhaps most concerning is the revelation that PowerSchool reportedly paid a ransom to hackers in an effort to retrieve or erase stolen data. Yet after the payment, the attackers are believed to have contacted individual school districts in a further extortion attempt—suggesting the data may not have been destroyed after all.
Attorney General’s Formal Inquiry
In response, AG Jackson’s office has demanded a wide range of documentation and explanations from PowerSchool. The CID compels the company to provide the following:
- Details on how many North Carolinians were impacted
- A breakdown of the company’s cybersecurity framework prior to the breach
- An explanation of how the attackers accessed protected systems
- A timeline of the breach response and communication with school districts
- A full list of steps taken since the breach to improve data security
- Information on how affected individuals have been notified and supported
These demands signal a more aggressive stance from state officials, who are increasingly scrutinizing education software vendors under consumer protection and data security laws. Jackson emphasized that families have a right to know why their private information was vulnerable and what PowerSchool is doing to ensure it doesn’t happen again.
Legal and Regulatory Tensions Mount
This isn’t just a North Carolina story. States across the country are now dealing with the aftershocks of PowerSchool’s breach. Texas has reported nearly 800,000 affected residents, while Maine and others are beginning to receive formal notifications. Federal law enforcement has also weighed in—19-year-old Matthew Lane was charged and pled guilty to cyber extortion related to the incident, according to Justice Department filings.
The PowerSchool case has drawn particular attention because of the nature of the data compromised. Student information, especially involving minors, is governed by a combination of state privacy laws and federal regulations like the Family Educational Rights and Privacy Act (FERPA). The intersection of consumer protection law and education privacy frameworks is creating new legal risk vectors for both edtech firms and the school systems that rely on them.
Key Lessons for the Education Sector
As this case unfolds, it serves as a warning shot for any organization that manages or shares student data. Breach prevention and response are no longer just IT issues—they’re full-blown compliance and legal challenges. Educational institutions and vendors alike need to reassess how they protect sensitive data and how they contract with one another around cybersecurity responsibilities.
- Review and revise vendor contracts to ensure clear breach reporting and indemnity obligations.
- Implement multi-factor authentication (MFA) and stricter access controls on all user accounts.
- Conduct risk assessments and simulated incident response drills at least twice annually.
- Ensure that data minimization practices are in place to limit what is stored and for how long.
- Prepare clear communication protocols for informing affected families if a breach occurs.
What This Means Moving Forward
The PowerSchool investigation represents a turning point in how public agencies respond to data breaches involving school systems. With millions of families affected and growing public awareness around data rights, states are signaling that apologies and temporary fixes are no longer enough. Companies entrusted with sensitive educational data will need to prove—on paper and in practice—that they are capable stewards of that trust.
As the education sector becomes more digitized, compliance and security cannot be left behind. Transparency, accountability, and proactive data governance must become the standard, not the exception but unfortunately until more suits, investigations, and fines are handed out companies will not take this seriously until they are forced to do so in the Education sector. Perhaps 2025 is the turning point for privacy!
