loading . . . Board members of the Montpelier Roxbury Public Schools (MRPS) district have the option to join a lawsuit against the software provider PowerSchool following a massive breach of student and faculty data late last year.
The MRPS Director of Curriculum and Technology Michael Berry briefed board members about the opportunity at a March 19 board meeting. He said the personal data of students and instructors reaching back to 2009 were accessed and downloaded by unauthorized users twice in December.
According to PowerSchool, the data include names, contact information, birthdays, Social Security Numbers, medical alert information, and “other related information” of students and instructors across U.S. school districts.
The breach involved the company’s Student Information System (SIS), which is used by schools to track grades, attendance, enrollment, and other kinds of performance metrics. This year, MRPS paid PowerSchool about $34,000 for use of the system.
## __Never miss a headline — subscribe to our free newsletter now!
We hate spams like you do
Email address:
Leave this field empty if you're human:
Berry recommended the MRPS board join a mass action lawsuit, which could bring financial compensation to the district for time lost dealing with the data breach, as well as funds to cover cost increases for PowerSchool software systems next year, which could be up to $12,000. Regarding the latter, Berry called that “an interesting marketing strategy.”
The lawsuit could also result in additional legal protections for school districts if the stolen data were used for illicit activities in the future, and could provide funds to cover the cost of switching to another company’s system to manage student data, if the district chose to do so.
Berry told board members that the long-term goal of a lawsuit would be to hold PowerSchool accountable — possibly forcing the company to reach out to those impacted by the breach.
According to its website as of early March, PowerSchool said it notified affected individuals by email and is offering free digital identity protection services, including credit monitoring services, through July 31 of this year.
However, Berry said he received word that individuals affected within the district did not receive notification from the company. He said MRPS notified students and faculty, attempting to track down families who moved away from the district since 2009. “We went above and beyond, but it’s really PowerSchool’s responsibility to do that,” he told board members.
_Advertisement_
The district sent out three letters to families and individuals in January, according to a webpage MRPS set up regarding the data breach (mrpsvt.org/powerschool). The MRPS Communications Coordinator Anna Hipko said that if affected individuals did not receive notification, they should contact PowerSchool directly.
The MRPS district is just one of nearly 40 districts in the state affected by the cyber attack. Some cybersecurity experts say it constitutes the largest breach of student data in the U.S. to date, putting millions of students and staff members at risk of identity theft.
PowerSchool hosts the personal data of 60 million students globally, according to its website. The company, which dominates the Student Information System market, was valued at $5.6 billion last year when a Boston-based private investment firm acquired it.
According to a February investigation by the cybersecurity company Crowdstrike, PowerSchool failed to put the most basic cybersecurity safeguards in place, such as multi-factor authentication, which could have prevented the breach — “a scary part of the story,” Berry told board members.
Courts in the U.S. are now seeing a profusion of lawsuits brought by school districts and individuals whose data were leaked. Many of those lawsuits allege violations of data privacy agreements, false advertisements, and negligence.
_Advertisement_
The MRPS district was alerted about the opportunity to sue PowerSchool by the Student Data Privacy Consortium, a nonprofit organization that provides data privacy agreements for school districts who do business with technology vendors, according to Berry.
The district has about a month to decide whether it will sue the company, he said.
The next MRPS board meeting will be held on Wednesday, April 2, from 6:30 to 8:30 p.m. at Montpelier High School or Roxbury Village School, and online. https://montpelierbridge.org/2025/04/mrps-could-sue-software-provider-following-massive-data-breach/
