Introduction
A lawsuit is arising against a software provider for a data breach that impacted 500K people last year.
The Memphis-Shelby County Schools (MSCS) filed a lawsuit against PowerSchool, their California-based software company, due to a significant data breach that occurred in December 2024. This breach compromised private data belonging to about 500K current and former students, and over 23K employees. The stolen data included names, addresses, Social Security numbers, medical information, grades, and other personal details.
What happened? How is the software provider implicated for the incident?
Breach on a School’s Private Data
Hackers accessed all of this data through PowerSource, PowerSchool’s customer support platform, and exported the stolen data into a CSV file. PowerSchool first became aware of the breach on December 28, 2024, but they did not notify the affected school districts until January 7, 2025.
Attemping to keep the breach quiet, PowerSchool paid a ransom to the hackers hoping to prevent the data from being made public. This is a major red flag! Remember, you should never pay a ransomware threat actor what they demand. They are extremely likely to either run off with both your data and your money, or even come back and demand another lump sum to stop them from publishing that information on the Dark Web. Of course, there’s not guarantee that they’ll keep that promise, either.
In this case, these exact concerns led to the lawsuit.
Lawsuit Against a Software Provider
PowerSchool collects PII on more than 60M people globally. This particular attack compromised the names, email and physical addresses, SSNs, permanent records, passwords and even their bus stops! Can you imagine if that was your child’s information? What would you do if it happened to you?
MSCS accused PowerSchool of negligence, breach of contract, and false advertising. The legal complaint alleges that PowerSchool failed to uphold its contractual and legal duties to safeguard the data, and did not implement the bare minimum requirements for cybersecurity defense. MSCS now seeks compensatory, consequential, general, and nominal damages.
Although the lawsuit remains in the early stages, MSCS is pushing for accountability and compensation for the breach. PowerSchool expressed regret over the incident and the subsequent threats that created for its users.
The Bigger Picture
Ultimately, this case boils down to the role of third-party vendors in cybersecurity. It’s also a reminder of the stark danger posed by supply chain attacks. The platforms and services we rely on could become a great weapon against us.
More and more, threat actors go after service providers and leverage them against their own clients. It’s a much faster and more efficient way to attack many viable targets at once, compared to going after each business one by one.
What makes supply chain attacks especially effective? Hackers infiltrate applications and services that you already trust, and the threat isn’t being perpetuated by the trusted vendor themselves. We need to stay vigilant, even with trusted services.
Defending Your Data From a Supply Chain Attack
The best way to protect yourself is to demand transparency from your service providers about their supply chain security.
Ask pointed questions like…
- How do you vet your vendors?
- What incident response plans are in place?
- Are there cyber insurance policies to mitigate losses?
Always choose vetted, reputable vendors whose platforms leverage data encryption to minimize exposure. By staying vigilant and fostering a culture of shared responsibility, you help fortify your supply chain defenses.
The post How a Supply Chain Attack Triggered a Lawsuit appeared first on Cybersafe.
