Writing for

Good

Insights

When the Lock Isn’t Enough: The $1M Mistake EdTech Companies Can’t Afford

Written by:
icon

In Brief

The 2024 PowerSchool security breach was a preventable failure of basic security practices. It exposed how fragile EdTech software security can be, especially when software development processes fall short on visibility and compliance. 

This article breaks down what went wrong, why school districts are rewriting their RFPs, and how EdTech solution providers can protect student data by building with security in mind. 

If your EdTech product isn’t SOC 2 Type 2 compliant or lacks proactive cybersecurity measures, you’re already falling behind.

Every new integration, every new k12 contract, every new user raises the stakes. Can your security posture keep up?

EdTech vendors are under pressure to meet k12 school districts’ high expectations for security. As school districts include data privacy mandates into their RFPs, vendors that can prove security through compliant, intentional software development practices will have the competitive advantage.

When Power Fails: The Security Breach That Shook K12 Confidence

What happened?

In December 2024, PowerSchool experienced a security breach where several school districts unknowingly had student and teacher data exposed.

With a classroom-name like PowerSchool, you’d think this was some high-level sophisticated hack.

Unfortunately, it showed how even small vulnerabilities can dismantle security protections.

How did it happen?

Someone got a hold of a support login, likely through phishing or reuse, and used it to get into the student information systems of multiple districts. There wasn’t any malware, no zero-day exploit. Just access to student and teacher data.

At the time of the breach, PowerSchool didn’t have multi-factor authentication (MFA) enabled for that support portal. VPN and MFA protections were only implemented after the damage had been done.

Why did it happen?

It was a breach caused by basic access mismanagement and a startling lack of visibility. PowerSchool didn’t even know they’d been hacked until the attacker reached out asking for payment. In other words, you can have the fanciest lock, but if you hide the key under the mat, it doesn’t matter.

From a technical standpoint, PowerSchool had strong tools in place: endpoint detection, encryption, and threat monitoring. But the incident revealed what those tools can’t do: compensate for poor practices and a lack of security awareness.

PowerSchool Aftermath and Its Implications for EdTech Vendors

This article isn’t a takedown though. It’s a reminder:

When software is built without guardrails, it’s not a question of if something breaks, it’s when.

A breach like this would have been damaging enough on its own. But the aftermath hit harder than anything the EdTech space has seen before:

Legal action

In response to the breach, multiple lawsuits happened:

  • The St. Croix Falls School District in Wisconsin filed a federal lawsuit against PowerSchool. The district alleged breach of contract and inadequate security measures. This has prompted other districts to consider similar legal actions.
  • Families and educators affected by the breach have filed class-action lawsuits, claiming negligence in safeguarding personal information.

New Mandates

While not a direct response to PowerSchool’s breach, the Federal Trade Commission recently updated COPPA, the Children’s Online Privacy Protection Act. And while most of the new rules are aimed at consumer-facing platforms, they’re sending a message the EdTech world needs to hear:

  • Stricter parental consent before any student data is shared
  • Shorter data retention windows (no more holding onto info “just in case”)
  • Greater transparency around third-party data practices

And K12 Districts responded with quiet intensity…

Districts Require Far More Than “Good Faith” Promises on Data Security.

DistrictRFP Security/Contract Requirements
Buffalo City School District (New York)

Issued a Data Sharing and Confidentiality Agreement, stipulating that vendors must:

  • Implement stringent security measures to safeguard confidential information.
  • Provide staff training on data privacy laws.
  • Adhere to specific breach notification procedures.
Pleasant Hill School District (Missouri)

RFP for SIS explicitly outlines data privacy clauses, including:

  • Strict breach notification protocols (48-hour notice + required incident response plan)
  • Mandatory employee background checks for anyone accessing student data
  • Employee security training and designation of a security point of contact
  • Encrypted access and firewall requirements
  • Clear destruction/deletion policies for student data
  • Adherence to FERPA and signed compliance with the Student Data Privacy Consortium Agreement
Omaha Public Schools (Nebraska)

Even this RFP for yearbook services still require data privacy:

  • A requirement for signing the district’s standard Data Protection Agreement (DPA) as a condition of award
  • Explicit callouts for cyber liability insurance ($1M) and security warranties
  • Stipulated compliance with FERPA, and incident response plan expectations

Breaches shake confidence in all companies. It shifts what buyers expect, what investors watch for, and what vendors can no longer afford to overlook. Not every EdTech vendor has to repeat PowerSchool’s mistakes though.

Here’s how security-first development practices, like the ones we follow at Edify, prevent small cracks from turning into major breaches.

“Security is not a product, but a process.

Bruce Schneier
Harvard, Cryptographer and computer security.

WWEDD? What Would Edify Software Consulting Do Differently?

Security can’t be considered a feature of any product. It needs to be a part of the foundation.

From the moment someone works with us, we’re building with security in mind. Our architecture is designed from the ground up to protect sensitive data. We’re SOC 2 Type 2 compliant, which is the equivalent of a report card for companies. When searching for your partners in software development, devops, project management, or quality assurance, look for this type of ‘grading’ system. SOC 2 Type 2 compliance means that the company is serious about keeping information safe and private. So when a company says they are SOC 2 Type 2 compliant, it means:

    1. They put strong rules and protections in place to safeguard data
    2. An outside auditor checked them over a long period of time
    3. They proved they stuck to their security promises

Our commitment to security is never one and done; it’s a workflow that’s embedded into how we operate, every single day.

Our Security Processes

Software development calls for security processes. We follow OWASP-aligned design principles to spot vulnerabilities early in the build process. Our internal protocols mean only the right people have access to the right systems. Credentials are never floating around on sticky notes or in email threads. We use encrypted, role-based access management that’s tightly controlled and regularly audited.

And because we know that humans, not just code, are part of the security equation, our team goes through ongoing security awareness training, including phishing simulations that keep everyone sharp.

We also take remote access seriously. When we’re granted access to a client’s system, we treat it with the same level of control and oversight as our own infrastructure.

Software consulting companies like Edify don’t wait for something to go wrong to care about security. We build for it by default.

Cheap code is expensive.
While budget matters, so does risk. Vendors should ask whether a lower price now is worth a breach, a lawsuit, or a lost contract later.

PowerSchool appears to still rely on offshore software development in some capacity, based on recent job postings. It’s tempting to cut costs by outsourcing to the lowest bidder. But when your product is managing student data, trust is also your product.

Offshore teams often come with timezone delays, fragmented communication, and limited oversight. When coordination breaks down, so does your ability to see what’s really happening.

It’s hard to say whether this could have been prevented, but at the very least, tighter DevOps integration, real-time collaboration, and shared compliance frameworks could have helped catch this sooner. What is certain is that sensitive data needs well-defined protocols to stay protected.

Scale Without Sacrificing Security
It’s easy to focus on features and growth until a security gap brings everything crashing down.

The real question isn’t “What security tools are you using?” but “What practices are in place?”

Recommendations for EdTech vendors and product leaders:

  • Build in security from day one.
  • Audit who has access to what and why.
  • Require MFA and tightly controlled credentials.
  • Adopt and communicate clear incident response protocols.
  • Prioritize vendor oversight and secure DevOps practices.
  • Invest in security training for your engineering and support teams.

Security can’t be treated as a backend concern anymore. It’s a brand asset, a sales differentiator, and a signal of readiness for scale.

Knowledge Elements scaled nationally without cutting corners on security because they built their foundation the right way from the start.

See how a security-first approach helped Knowledge Elements earn trust, grow rapidly, and avoid the pitfalls other EdTech companies are now facing

Explore the case study now

Further Reading:

Take a deeper look at Edify’s security architecture:

Check out this post on how we use Next.js middleware and server-side logic to enforce role-based access and safeguard user data at the code level.

See our commitment to security and how it translates into real-world applications in our SOC 2 Type II compliance case study.