ACCORDING to JDSupra, a California federal judge allowed claims against Bain Capital to proceed based on a data breach at its subsidiary PowerSchool, a case that suggests private equity firms may be held liable for cybersecurity failures at portfolio companies even for pre-closing conduct. Bain Capital acquired PowerSchool in a $5.6 billion transaction that closed on 1 October 2024, after discussions that began in August 2022 and accelerated in 2024.
The breach occurred in August 2024, before the acquisition closed, when a threat actor gained access using stolen vendor credentials, with initial exfiltration of data from a single school district in September 2024. Post‑closing, Bain directed PowerSchool to offshore cybersecurity, engineering and IT functions to contractors, including data-management tools that enabled vendors to bypass consent protocols and access protected school district computers directly.
Over the following months, a 19-year-old college student from Massachusetts used the stolen credentials to exfiltrate data from thousands of North American school districts, a activity not discovered until 28 December 2024, after Bain’s acquisition closed, when the cybercriminal group ShinyHackers made a ransom payment demand to PowerSchool.