U.S. College Student Pleads Guilty in Data Breach that Affected North American Schools
A Massachusetts college student has agreed to plead guilty to hacking into cloud-based education software provider PowerSchool and stealing data pertaining to millions of North American students and teachers. Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester, Mass., related to the hacking of two companies.
The breach, which exposed the data of tens of millions of children, has been linked to the extortion of PowerSchool and school districts into paying ransoms. According to court papers, Lane used the credentials of a PowerSchool contractor in September to gain access to its network and obtain student and teacher data. He then transferred the data to a computer server he leased from a cloud storage provider in Ukraine.
The Extortion Ransom Demand
Days later, PowerSchool received a ransom demand threatening to leak the names, addresses, Social Security numbers, and other sensitive data belonging to more than 60 million students and 10 million teachers unless it paid $2.85 million US worth of bitcoin. The demand was part of a larger extortion scheme that also targeted an unnamed telecommunications company.
The prosecutors alleged that Lane conspired with others to extort the telecommunications company into paying a $200,000 US ransom to avoid the disclosure of data stolen from its network. However, it appears that PowerSchool ultimately paid the ransom demand to prevent the release of sensitive information.
The Impact on Schools
PowerSchool's software is used by more than 18,000 schools to support over 60 million students across North America. The breach has affected school boards in Ontario, Saskatchewan, Alberta, Newfoundland and Labrador, Nova Scotia, Prince Edward Island, Manitoba, and the Northwest Territories in Canada.
The Charges Against Lane
Lane faces charges related to engaging in cyber extortion and aggravated identity theft, as well as accessing protected computers without authorization. As part of his plea deal, he has agreed to plead guilty to these charges and will face at least two years in prison.
Reactions from Authorities
"His actions instilled fear in parents that their kids' information had been leaked into the hands of criminals — all to put a notch in his hacking belt," said U.S. Attorney Leah Foley in a statement. Lane's attorney did not respond to requests for comment.
Background on PowerSchool and the Breach
Folsom, Calif.-based PowerSchool disclosed the breach in January, stating that it learned of it on Dec. 28, 2024, and decided to pay a ransom to prevent data from being made public. Since then, multiple school districts have also received extortion demands related to the same data.
Conclusion
The plea deal entered into by Matthew Lane marks a significant development in the investigation into the massive PowerSchool breach. As authorities continue to investigate and prosecute those responsible for this cybercrime, it is essential that schools and parents remain vigilant in protecting their sensitive information from potential threats.