Mar 25, 2025
Personal data has become the world’s most valuable commodity, and the risk of massive cyber breaches looms larger than ever. The recent PowerSchool hack is a stark reminder of how vulnerable we truly are. PowerSchool, a software provider serving thousands of schools across the nation, was infiltrated by a phishing attack in December 2024. As a result, an unknown threat actor gained access to all data, past and present, for both current and former teachers, students, and employees. Even more alarming was the discovery that PowerSchool was retaining years’ worth of personal data long after user accounts were closed.
This breach and many others like it bring an urgent question to the forefront of our minds: Why are companies allowed to hoard inactive personal data, and what can be done to stop it? In Europe, the General Data Protection Regulation (GDPR) already enshrines the “Right to Be Forgotten” (RTBF), which compels companies to delete personal information when it’s no longer relevant or necessary. However, in the United States, no comprehensive federal law of this scale exists. In this article, the cybersecurity experts at Blade Technologies explore how the PowerSchool hack highlights the dangers of indefinite data retention and how adopting RTBF legislation could be a critical step toward safeguarding personal information.
What is “Right to Be Forgotten”?
The “Right to Be Forgotten” (RTBF) is a principle designed to allow individuals to request the removal of personal information that is no longer relevant, necessary, or accurate. While the concept has existed in legal and ethical discussions for years, it was officially codified by the European Union in Article 17 of the General Data Protection Regulation (GDPR) in May 2018. Under the GDPR, organizations must delete personal data when it is no longer needed for the purpose it was originally collected, or if the individual withdraws consent and there is no overriding, legitimate interest in continuing to process the data.
Article 17 outlines a few principles, primarily focusing on user consent and control. Organizations are encouraged to collect only the data they genuinely need and keep it no longer than necessary. Additionally, if a user withdraws consent for their data to be used and there is no lawful basis to retain it, the data must be removed from active databases and backups. It’s important to note that the RTBF is not absolute. There are exceptions for public interest, legal requirements, and freedom of information. This means that data controllers must evaluate each deletion request on a case-by-case basis to ensure compliance with all relevant laws and societal interests.
Understanding the PowerSchool Breach
In December 2024, PowerSchool, a leading student information system (SIS) and education technology provider, fell victim to a significant cyberattack. An unknown threat actor successfully phished the credentials of a high-level administrator, granting unauthorized access to PowerSchool’s extensive data repositories. This breach is considered especially severe because it compromised not only the current data of students, teachers, and staff but also information from old, inactive accounts that had been closed years prior.
According to a statement by PowerSchool, every piece of data stored on their systems was potentially accessed by the attackers. That includes personal identifiers, grades, disciplinary history, and medical records of current students and staff along with data retained from former students and staff. As of January 2025, approximately 62 million students and 9 million teachers were affected by the PowerSchool breach.
This breach was particularly severe for three primary reasons:
- Retention of Old Data: PowerSchool’s decision to store personal data long after accounts were inactive drastically expanded the breach’s reach. If data had been properly deleted or anonymized, far fewer records would have been exposed.
- Sensitive Nature of the Information: Educational records can be surprisingly comprehensive, often including medical information, disciplinary actions, and family details, making them a goldmine for identity thieves.
- Potential Long-Term Impact: Unlike credit card numbers that can be changed, much of the data compromised in the PowerSchool hack (birthdays, social security numbers, personal histories) can’t easily be altered. This leaves affected individuals vulnerable to identity theft and other forms of fraud for years to come.
The Problem of Excessive Data Retention
The PowerSchool breach illustrates a core vulnerability in modern data practices: keeping large amounts of personal information long after it has served its initial purpose. When organizations do not regularly purge or anonymize dormant records, they create massive repositories of sensitive data that become attractive targets for cybercriminals.
The Risks of Holding onto Unused Data
The more data an organization stores, the larger the potential payoff for attackers. Even outdated or “inactive” records contain valuable personal details—like Social Security numbers, birth dates, and addresses—that can be used for identity theft or financial fraud. Over time, data may be stored across multiple systems, backups, and third-party services. Without strict retention and deletion policies, it becomes harder for a company to keep track of all the data it’s holding and to secure every possible entry point.
The Impact on Individuals
Once stolen, personal information like medical records or educational histories cannot simply be “turned off” or replaced in the same way you might replace a lost or stolen credit card. This leaves individuals exposed to identity theft and other abuses for years, sometimes for a lifetime. Sensitive data like disciplinary records or health information can also have serious ramifications if made public. Victims could face embarrassment, harassment, or discrimination based on details that should have remained private.
Why Companies Fail to Delete Old Data
Many organizations do not have comprehensive data retention policies that dictate how long to keep certain records and under what circumstances they should be purged. This leads to a default behavior of retaining everything “just in case.” Companies sometimes view data as a resource that may prove valuable for analytics, marketing, or potential product improvements. By hoarding large datasets, they hope to extract additional value at a later time, even if no immediate plan exists.
Finally, in places without robust data protection laws, there is less external pressure to delete obsolete data. Without the legal obligation or threat of fines (as seen under the GDPR), businesses may not prioritize data minimization. Organizations accumulate larger and larger databases, inadvertently amplifying the consequences when breaches occur.
The PowerSchool Hack: A Lesson in Why RTBF Matters
The recent PowerSchool breach isn’t just another headline in a long list of cybersecurity incidents—it’s a wake-up call that highlights the dangers of indefinite data retention. While the “Right to Be Forgotten” (RTBF) is primarily associated with the European Union’s GDPR, similar legislation or policies could have significantly mitigated the impact of this breach. By requiring organizations to delete personal data once it’s no longer necessary or relevant, RTBF serves as both a preventive and protective measure.
In this instance, if PowerSchool had been legally required to erase information from inactive or defunct accounts, the hackers would have had access to far fewer records, dramatically reducing the scope of the breach. Knowing they must comply with potential RTBF rules also pushes organizations to maintain clearer data governance, including adopting strict retention schedules, auditing stored data regularly, and ensuring old records are properly disposed of once they’re no longer needed.
A significant aspect of RTBF is empowering users to request the deletion of their personal data. This ensures that parents, students, and staff, particularly those who no longer use PowerSchool, could demand the complete removal of sensitive details, safeguarding them from future breaches. From a business standpoint, housing less data reduces exposure in the event of a cybersecurity incident. Implementing RTBF principles can also foster trust; when customers know an organization respects their data privacy, they are more likely to continue using its services.
The Case for RTBF Legislation in the United States
The PowerSchool incident underscores the potential benefits of formalizing RTBF in U.S. legislation or through industry-led standards. While federal privacy legislation in the United States remains fragmented, the growing frequency and severity of cyberattacks underscore the urgent need for clearer, more robust regulations. By requiring businesses to delete outdated or irrelevant data, policymakers can help prevent the accumulation of massive data troves that inevitably attract cybercriminals. Such frameworks would not only protect individuals but also encourage more responsible data stewardship across industries.
Growing Advocacy Trend
In the wake of high-profile hacks—from major retailers to credit bureaus and now educational software providers—public sentiment has shifted toward greater data control. As more Americans become aware of how easily their personal details can be compromised, calls for a U.S. equivalent to the EU’s GDPR are growing louder.
Countries outside the EU, including Brazil (with its General Data Protection Law, LGPD) and Japan (with revised privacy laws), have adopted stricter data protection standards that borrow from GDPR principles. These global shifts put pressure on U.S. businesses to align with international best practices, even in the absence of federal legislation.
Policy Recommendation
Based on what cybersecurity experts and users have learned from the growing trend of cybersecurity breaches, there are a few specific policies and regulations that could significantly reduce the impact and scope of data theft. These include:
>Mandatory Deletion of Inactive Data: Companies should be legally obligated to remove personal data once it is no longer needed to fulfill the service or purpose for which it was collected. This would drastically reduce the sheer volume of data available to malicious actors in the event of a breach.
- Clear Timelines and Transparency: Legislation should set standardized retention periods based on the type of data (educational, financial, or health). Additionally, organizations must inform users of these timelines and their right to request immediate erasure in specific circumstances, including account closure or withdrawal of consent.
- Penalties and Enforcement: To ensure compliance, enforcement agencies should have the authority to levy fines or other sanctions on companies that fail to fulfill RTBF obligations. Much like the EU model, fines could be scaled according to an organization’s size and the severity of the violation.
Balancing Business Needs with Privacy
Businesses should retain certain records for legitimate operational or legal reasons, such as verifying transactions, meeting regulatory obligations, or supporting active service delivery. Any data kept for these reasons must be adequately protected and promptly deleted once those needs expire. Deleting unnecessary data not only mitigates security risks but also reduces storage costs and complexity. Implementing clear data governance practices can lead to more efficient business processes, ultimately benefiting an organization’s bottom line.
A robust RTBF framework also doesn’t have to stifle innovation but can actually boost consumer confidence. When individuals know their data won’t be hoarded indefinitely, they’re more likely to share accurate information and remain loyal to companies that respect their privacy. By adopting RTBF legislation, policymakers can help close the gap in data protection that leaves both individuals and businesses vulnerable. Rather than viewing privacy regulations as a burden, forward-thinking leaders see them as an avenue to build trust, enhance security, and foster responsible innovation—vital components of a resilient, modern economy.
Protect Your Data with Blade Technologies
The PowerSchool breach is a stark reminder of the dangers that come with retaining massive amounts of personal data long past its useful life. Despite being an industry-leading educational technology solution, PowerSchool’s failure to remove outdated or inactive records left millions vulnerable to one successful phishing attack. Incidents like these underscore the urgent need for a legislative framework—modeled on the GDPR’s “Right to Be Forgotten”—that mandates the deletion of unnecessary personal data and empowers individuals to demand its removal.
Adopting RTBF principles does more than protect users from the fallout of data breaches; it also encourages more responsible data governance, fosters consumer trust, and reduces the likelihood of devastating cyberattacks. As cybersecurity challenges continue to multiply, lawmakers, businesses, and individuals all share responsibility for promoting better data practices.
While we wait to see how data security legislation and regulations develop, Blade Technologies can help your business secure your data. From initial risk assessment and penetration testing to empowering your team with cybersecurity awareness training, we are here to provide industry leading data loss prevention and support. To see how our experts can help you avoid devastating breaches, contact us today.
Contact Blade Technologies