PowerSchool Naviance Data Harvesting Lawsuit Settles for $17.25 Million
In early April, students worldwide received notifications about a settlement in a lawsuit against PowerSchool, the provider of Naviance, a widely used college and career readiness platform. The lawsuit alleged that between August 18, 2021, and January 23, 2026, Naviance embedded Heap, a third-party tracking tool, which collected sensitive student data including keystrokes, clicks, mouse movements, and private messages to counselors without consent. The harvested data was reportedly sent to Google, Microsoft, and Hotjar, violating state and federal privacy laws, including the Electronic Communications Privacy Act and the California Invasion of Privacy Act.
Filed in August 2023 by an unnamed Chicago student, the lawsuit accused Naviance of unauthorized digital surveillance. PowerSchool denied the allegations but reached a $17.25 million settlement in February 2026, with payments to affected students. As part of the agreement, Heap, Google, Microsoft, and Hotjar agreed to delete all stored student data. Final approval is pending at a hearing on August 19, 2026.
This incident is not PowerSchool’s first privacy controversy. In December 2024, a hacker exploited a stolen password to breach PowerSchool’s systems, stealing data from millions of students and educators. Though a $2.85 million ransom was paid, the same data was later used in further extortion attempts.
The case reflects a broader trend of EdTech privacy failures, as digital learning tools in K-12 schools have nearly doubled in usage since 2020. Recent breaches, including a ShinyHunters attack on Canvas in April and May 2026, disrupted global education systems, forcing Instructure to pay an undisclosed ransom to prevent data leaks.
Eligible students have until July 27, 2026, to file a claim under the settlement.
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
Hotjar | by Contentsquare cybersecurity rating report: https://www.rankiteo.com/company/hotjar
Google cybersecurity rating report: https://www.rankiteo.com/company/google
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "MICHOTGOOPOW1779697543",
"linkid": "microsoft, hotjar, google, powerschool-group-llc",
"type": "Breach",
"date": "8/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Students worldwide',
'industry': 'Education Technology',
'location': 'Global',
'name': 'PowerSchool (Naviance)',
'size': 'Large (millions of users)',
'type': 'EdTech Platform'}],
'attack_vector': 'Third-party tracking tool (Heap)',
'customer_advisories': 'Notifications sent to affected students with '
'settlement details',
'data_breach': {'data_exfiltration': 'Yes (sent to Google, Microsoft, and '
'Hotjar)',
'personally_identifiable_information': 'Yes (student data)',
'sensitivity_of_data': 'High (personally identifiable '
'information of students)',
'type_of_data_compromised': 'Behavioral data (keystrokes, '
'clicks, mouse movements), '
'private messages'},
'date_detected': '2023-08-01',
'date_publicly_disclosed': '2026-04-01',
'date_resolved': '2026-08-19',
'description': "A lawsuit alleged that PowerSchool's Naviance platform "
'embedded Heap, a third-party tracking tool, which collected '
'sensitive student data including keystrokes, clicks, mouse '
'movements, and private messages to counselors without '
'consent. The harvested data was sent to Google, Microsoft, '
'and Hotjar, violating state and federal privacy laws. '
'PowerSchool settled the lawsuit for $17.25 million.',
'impact': {'brand_reputation_impact': 'Significant (privacy controversy)',
'data_compromised': 'Keystrokes, clicks, mouse movements, private '
'messages to counselors',
'financial_loss': '$17.25 million settlement',
'identity_theft_risk': 'High (sensitive student data exposed)',
'legal_liabilities': 'Violation of Electronic Communications '
'Privacy Act and California Invasion of '
'Privacy Act',
'systems_affected': 'Naviance platform'},
'investigation_status': 'Settled (pending final approval)',
'lessons_learned': 'EdTech platforms must ensure compliance with privacy laws '
'and obtain explicit consent for data collection. '
'Third-party tracking tools pose significant risks to user '
'privacy.',
'motivation': 'Data monetization (alleged)',
'post_incident_analysis': {'corrective_actions': 'Data deletion by third '
'parties, settlement '
'payments, and pending '
'policy changes',
'root_causes': 'Unauthorized embedding of '
'third-party tracking tools without '
'user consent'},
'recommendations': 'Implement stricter data collection policies, conduct '
'regular audits of third-party tools, and enhance '
'transparency with users regarding data usage.',
'references': [{'date_accessed': '2026-04-01',
'source': 'Lawsuit settlement announcement'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit settlement',
'regulations_violated': ['Electronic Communications '
'Privacy Act',
'California Invasion of '
'Privacy Act']},
'response': {'communication_strategy': 'Notifications to affected students',
'containment_measures': 'Heap, Google, Microsoft, and Hotjar '
'agreed to delete all stored student '
'data',
'remediation_measures': 'Settlement agreement to delete data and '
'pay affected students'},
'title': 'PowerSchool Naviance Data Harvesting Lawsuit Settlement',
'type': 'Data Harvesting',
'vulnerability_exploited': 'Unauthorized data collection via embedded '
'tracking tool'}