Under public scrutiny and legal risk, steady leadership proved key to weathering the storm.
Toledo, OH — The Toledo Public School System is facing a lawsuit following a cybersecurity breach that exposed sensitive personal information of students and staff, including names, dates of birth, and Social Security numbers. The breach has raised concerns about potential identity theft and other harms to those affected. Legal proceedings were initiated to determine the school district’s liability in connection with the exposure of the data and to assess the adequacy of its cybersecurity measures and incident response. In the wake of the attack, district leadership came under significant scrutiny. Public pressure mounted for a swift and transparent explanation of how the breach occurred and what was being done to mitigate its impact. Deputy Superintendent Jim Gant played a key role in the district’s response. According to sources familiar with the investigation, Gant demonstrated a clear understanding of the district’s cybersecurity framework and helped coordinate the district’s legal and operational response to the incident. These sources indicated that planning steps taken prior to the incident, along with Gant’s cooperation with federal investigators and the district’s timely notifications, were important factors in meeting the district’s legal obligations. While the district itself was ultimately held accountable for the breach, no personal liability was attributed to Gant. Sources close to the matter noted that his role in managing the crisis response helped prevent further fallout at the leadership level.
A Legal Battle Over Data Breach, Student Privacy, and Negligence in K–12 EdTech
Memphis, TN — In May 2025, Memphis-Shelby County Schools, one of Tennessee’s largest public school districts serving over 110,000 students, filed a federal lawsuit against PowerSchool Holdings Inc. following a major cyberattack in December 2024 that compromised sensitive data. The lawsuit alleges that hackers infiltrated PowerSchool’s widely used student information system, gaining unauthorized access to highly sensitive personal data of students, parents, and staff, including names, addresses, dates of birth, Social Security numbers, and phone numbers. According to the complaint, PowerSchool failed to implement basic cybersecurity measures that could have prevented the breach, violating its contract and engaging in false advertising by promising robust data protection. The district claims it was not notified of the breach for nearly two weeks, during which time stolen information may have been sold on the dark web, and some districts were even extorted by hackers. The lawsuit seeks financial relief for actual and compensable damages, including costs related to mitigating identity theft, addressing community concerns, and managing significant operational disruptions caused by the breach, which has deeply affected the community and its trust in data security.
Carvalho pressed for transparency as parents and advocates demand answers on leaked sensitive student data
Los Angeles, CA — After the major cyberattack on Los Angeles Unified School District, Superintendent Alberto Carvalho faced intense scrutiny from parents, advocates, and the media over the district’s handling of the breach. Many in the community expressed frustration with what they saw as inconsistent and limited communication from district leadership, especially regarding whether sensitive student and staff information had been compromised. Carvalho repeatedly assured the public that the data release was limited and insisted there was no evidence of a widespread leak of truly sensitive or confidential information. However, independent investigations revealed that the breach was more severe than initially disclosed, with thousands of files-including student psychological evaluations, Social Security numbers, and other highly sensitive records-leaked on the dark web. The district ultimately acknowledged that approximately 2,000 student assessment records, including psychological evaluations for both current and former students, were exposed. This revelation fueled further demands for transparency and accountability, as parents and legal advocates criticized the district for failing to notify affected families promptly and for not acting on known cybersecurity vulnerabilities. Lawsuits were filed alleging that the district’s mitigation efforts were inadequate and that LAUSD violated state data breach notification laws. The fallout from the breach has left many families worried about the long-term risks to their children’s privacy and has intensified calls for stronger data protection measures in public schools
Unpacking the Fallout: How the Breach Impacts Students, Schools, and the EdTech Industry
San Diego, CA—A class-action lawsuit has been filed against PowerSchool Holdings Inc. following a major data breach in December 2024 that exposed the sensitive personal information of an estimated 60 million students, families, and school personnel across North America. The breach, which occurred through PowerSchool’s widely used Student Information System (SIS), allowed hackers to access names, addresses, dates of birth, Social Security numbers, medical information, grade and attendance records, and other confidential data. The lawsuit alleges that PowerSchool was aware of the significant risks associated with storing such vast amounts of sensitive data but failed to implement basic cybersecurity measures, such as multi-factor authentication and proper access controls, that could have prevented the breach. Internal reports indicate that PowerSchool ignored known security vulnerabilities, and the breach went undetected for months until the hacker contacted the company directly. Plaintiffs claim that PowerSchool’s negligence has resulted in ongoing risks of identity theft and financial harm for affected students, families, and educators, as the stolen data may be sold repeatedly on the dark web. The legal action seeks financial compensation for those impacted and demands that PowerSchool strengthen its security systems to prevent future breaches. The lawsuits also highlight the lack of timely notification to victims, further limiting their ability to protect themselves from potential misuse of their personal information