24 hours. That’s the gap between PowerSchool’s disclosure of a hacking incident affecting teacher and student data and the filing of the first potential class-action lawsuit. Bloomberg Law reports on three potential class-action lawsuits that were filed on January 8th and 9th against the provider of cloud-based education software for K-12 schools:
The complaints bring a variety of claims, including negligence, negligence per se, breach of fiduciary duty, breach of confidence, invasion of privacy/intrusion upon seclusion, breach of implied contract, unjust enrichment, declaratory judgment, and violations of the California Consumer Privacy Act.
The plaintiffs are variously seeking compensatory, statutory, exemplary, and punitive damages; statutory penalties; restitution; equitable and injunctive relief; attorneys’ fees and costs; and pre- and post-judgment interest.
The cases are are Buack-Shelton v. PowerSchool Holdings Inc., E.D. Cal., No. 2:25-at-00037, complaint filed 1/8/25, Baker v. PowerSchool Holdings Inc., E.D. Cal., No. 2:25-at-00040, complaint filed 1/9/25, and Kinney v. PowerSchool Holdings Inc., E.D. Cal., No. 2:25-at-00042, complaint filed 1/9/25. The complaints are uploaded to Bloomberg’s server.
PowerSchool’s initial disclosures suggested that they had paid the threat attacker to delete the stolen data and had obtained video evidence that it was deleted. As many people have commented in various forums where the breach is being discussed, however, what PowerSchool believes is not the same as proof that all data have really been deleted and that there is no other copy somewhere that the threat actor has stashed away for later use or sale.