A breach of sensitive student data reported by education technology vendor PowerSchool came as no surprise to one North Texas mom.
Well before PowerSchool announced that hackers had accessed student and staff data stored in the software vendor’s system, Laura Giles was raising alarms about the risks her school district’s digital resources and data collection posed to students’ privacy.
PowerSchool, one of the largest providers of cloud-based software for K-12 education, notified customers on January 7 of a “cybersecurity incident” that occurred on December 28, in which an “unauthorized party” gained access to data stored within its Student Information System (SIS).
Lovejoy Independent School District, which Giles’ child attends, was one of those customers.
Giles and other Lovejoy ISD parents received a notice about the data breach on January 8 from the district’s Director of Technology, John Korb.
Korb stated the district was “gathering more information” and had activated its Cyber Security Incident Response Plan.
Giles responded to Korb’s message by asking what specific data on her child was illegally accessed by the hackers.
“I’m absolutely disturbed this school district uses unsecured software to manage sensitive data like that of a minor,” Giles wrote to Korb. “Why is Lovejoy using a SIS vendor that doesn’t have internal security practices?”
“Parents trust districts to keep our kids secure,” she added. “That includes my family’s data.”
Hackers reportedly accessed two PowerSchool datasets, one with teachers’ information and one containing students’ data including names, addresses, social security numbers, medical and financial information, grades, schedules, and more.
Giles also requested a copy of the district’s Cyber Security Incident Response Plan and any guidelines Lovejoy ISD uses to assess the security practices of taxpayer-funded technology vendors.
This was far from the first time Giles had questioned how Lovejoy ISD protects student data.
Giles has been asking for more than a year for her district to identify all the approved software programs and applications that are collecting students’ data and to verify what measures Lovejoy ISD is taking to secure that data.
In August 2023 Giles requested a list of applications and websites that students could access, the data retention policies for each, and the district’s policy for reviewing and approving third-party products. She was directed to go through “proper channels.”
When she sent a list of apps and websites for the district to confirm, she was told the Texas Public Information Act does not require school districts to answer questions—only to provide access to specific documents that are requested.
Giles said a list eventually provided did not include dozens of apps she knew were in use by the district, nor did the district maintain a list of sites that were rejected or blocked.
“It needs to be policy that all sites are blocked unless vetted and approved by the technology department via a documented process,” Giles wrote to Superintendent Katie Kordel on September 25, 2023. “The district MUST do its part to protect children’s data and keep children safe.”
She said parents and staff need to know what tools are approved for use, and there needs to be consequences for failure to follow the district’s approval policy.
“This is a huge problem and it impacts not just my family but the next generation of Americans’ privacy,” she added.
According to PowerSchool, its software supports more than 60 million students and 18,000 customers worldwide, including more than 90 of the top 100 districts by student enrollment in the United States.
Bain Capital bought PowerSchool last fall, estimating the company’s value at $5.6 billion.
Parents in California filed a federal class action lawsuit against PowerSchool last May over its data-mining practices, alleging that the company harvests sensitive information from children and families without their consent and uses the information for commercial purposes.
Three new federal lawsuits have been filed accusing PowerSchool of negligence in allowing the December data breach.
PowerSchool claims the attack did not involve ransomware but confirmed the company paid the hackers not to publish the stolen data.
Last year, the National Student Clearinghouse reported a security breach that allowed hackers to access students’ data.
In a post on X about the PowerSchool hack, Giles suggested parents should ask their school district officials why they are using a vendor that doesn’t follow industry best practices to secure students’ data.
“Also ask why they are using a vendor that waits a FULL week before notifying the school of a major security incident and ask when they’re going to terminate the contract with PowerSchools,” she wrote. “Or better—just tell your school district you are opting-out of using PowerSchool altogether & to remove all your family’s data immediately.”
“Then get the district to fund personal credit reports for every family member listed,” she added.
Giles told Texas Scorecard there is too much technology in schools for administrators to appropriately manage.
“And there’s no parent protection for student privacy because we don’t know what data they’re collecting,” she said.
According to Giles, school districts like Lovejoy share responsibility for the data breach because they had the opportunity to assess the vendor’s security practices before making the purchase.
“Job #1 of every school technology director should be to own and protect the data.”
Texas parents can contact their local school district officials to find out if their students’ sensitive data was compromised by the PowerSchool hack.
No ads. No paywalls. No government grants. No corporate masters.
Just real news for real Texans.
Support Texas Scorecard to keep it that way!