A shot of East Lansing High School. (ELi file photo)

East Lansing School District Joins Class Action Suit Against PowerSchool, Say ELPS Data was not Compromised

Earlier this month, the East Lansing Public Schools Board of Education approved a plan to join a class-action lawsuit against PowerSchool, a software and cloud-hosting platform used by the district that experienced a data breach in December 2024. Hackers claimed to have stolen the data of 62.4 million students and 9.5 million teachers.

Christian Palasty, the district’s director of technology and communications, explained in an interview with East Lansing Info that East Lansing students’ information was not stolen in the data breach because of extra security measures taken by the district. 

PowerSchool stores all school records, including attendance, lunch counts, demographic data, grades, behavior reports and emergency contact information. Palasty said schools fall into one of two categories in their PowerSchool setup: districts that self-host the server on their own hardware and districts that have the platform hosted for them. The hack only affected schools that do not host their own servers.

“We’re one of the few districts in Ingham County that hosts it ourselves,” Palasty said. “And the [hacker] did attempt to connect to our server, but we block international traffic, and the person wasn’t successful.”

Even though ELPS student data was not stolen, ELPS Superintendent Dori Leyko told ELi that because the district had an expectation of privacy that was not maintained, it is eligible to join the suit.

ELPS Superintendent Dori Leyko during the Monday, Oct. 23, 2023, ELPS Board of Education meeting. (Dylan Lees for ELi)

“I don’t know the exact legalese that’s in there,” Palasty added, “but [the district’s contract with PowerSchool] basically says that [they] will hold ourselves to the highest security standard [and] will meet these industry guidelines for cybersecurity best practices. And it kind of came out that they weren’t keeping themselves to those high standards.”

To PowerSchool’s credit, Palasty said, the company implemented near-instant security measures after the breach. The company also paid an undisclosed amount of money to the hacker for guarantees that the data would be returned. The data was returned, but the hacker then “reached out to individual districts and tried to extort them,” he said.

ELPS has utilized PowerSchool since 2007, Palasty said, and never really considered switching to another platform, even after the breach. He said the district trusts PowerSchool moving forward and that there are few alternative platforms the district could use.

He said that hacking and data breaches like this one are a constant threat, but ELPS has been successful in preventing breaches.

“Public education just doesn’t have the resources or the manpower to play that whack-a-mole of keeping things locked down [and] preventing people from clicking on links and emails,” he said. “We deal with that on a weekly basis. Thankfully, we [ELPS] haven’t had a huge data breach in a very long time.

“We can only do the best that we can to lock the network down, run tests on it, have outside contractors run audits on it and see if they find any loopholes or any windows that we’ve neglected or missed.”

According to a memorandum from the district’s attorneys, Thrun Law Firm, the lawsuit will seek past and future expenses related to the data breach, future expenses for platform changes and data migration, and reimbursements for payments to PowerSchool.

Frantz Law Group in California are the class attorneys in the suit.