Texas Attorney General Ken Paxton is suing a California tech company over a data breach that exposed personal and health information of more than 880,000 Texas students and teachers.

The lawsuit alleges that PowerSchool violated Texas law and seeks fines, stronger data security measures, and potential restitution for those impacted by the December 2024 breach.

PowerSchool makes software that helps schools manage enrollment, student records, employee data, and daily operations.

Hacker accessed unencrypted student data

In a news release, Paxton's office said a hacker used a subcontractor's account to access and transfer "large amounts" of unencrypted data to a foreign server. The stolen information included names, addresses, Social Security numbers, medical and disability records, special education details, and even bus stop locations.

Paxton warned big tech companies against profiting from children's data while neglecting security, vowing to hold PowerSchool accountable.

"If Big Tech thinks they can profit off managing children's data while cutting corners on security, they are dead wrong," Paxton said. "Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused. My office will do everything we can to hold PowerSchool accountable for putting Texas students, teachers, and families at risk."

"State-of-the-art" security claims called misleading

Paxton's lawsuit claims PowerSchool misled customers by advertising "state-of-the-art" security while failing to use basic protections like multi-factor authentication, proper access controls, and data encryption.

On its website, PowerSchool says it serves more than 90 of the 100 largest U.S. school districts by enrollment, including Dallas ISD.

Expert: Breach is "incredibly big deal"

After the breach, a cybersecurity expert told CBS News Texas that it was an "incredibly big deal."

"There are 50 million records that were taken, and these are of children's data, including Social Security numbers, as well as educators, so this could lead to a lot of damage," said Matt Malone, Vistrada's director of cybersecurity.

Malone said it appeared PowerSchool didn't have enough security protocols in place.

"The problem with this is there were Social Security numbers involved of children and those children may not notice their credit for years," he said.

AI making attacks more sophisticated

Malone said it's important to monitor your child's credit, especially as these types of attacks become more common.

"The AI is getting better on building out attack vectors," he said. "You're getting AI to do social engineering techniques better. It's definitely worsening in escalation, and in the cybersecurity industry, it is rapidly taking off."

Company has been contacted for comment

CBS News Texas has contacted PowerSchool for comment and will update this story as soon as more information becomes available.