PowerSchool Hacker Pleads Guilty to Student Data Extortion Scheme
A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. Matthew D. Lane's actions have left school districts and educational institutions across the US, Canada, and other countries reeling.
The U.S. Department of Justice has charged Lane with four federal charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. According to court documents, Lane and his conspirators breached a US-based telecommunications company in 2022, stealing confidential customer information. They also gained access to PowerSchool credentials belonging to an employee at the telecommunication company that acted as a contractor for PowerSchool.
After attempting to extort the telecom firm, the DOJ says they conducted an attack on an education company that would pay a ransom. In a message to CC-1, Lane warned that if Victim 1 did not pay the ransom, he and his accomplices could sell the stolen data. The threat actor suggested hacking another company "that[']ll pay." Although PowerSchool is explicitly mentioned in the complaint, sources indicate that they are indeed the education company referred to by the DOJ.
Threat actors breached PowerSource, PowerSchool's support platform, using a maintenance tool to download the school's databases. These databases included sensitive information such as students' and faculty's full names, physical addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, medical data, and grades. The stolen data consisted of 62.4 million student records and 9.5 million teacher records from 6,505 school districts in the US, Canada, and other countries.
The DOJ says that PowerSchool received a ransom demand for approximately $2.85 million in Bitcoin on December 28, 2024. Although it is unclear how much was paid, even after paying the ransom, the threat actors attempted to individually extort impacted school districts into paying further ransoms not to leak student data.
These ransom demands claimed to be from Shiny Hunters, a prolific group of threat actors known for various breaches. It's worth noting that many members of this group have been arrested over the past year, leaving it uncertain whether other members carried out the attacks or if copycats are attempting to plant a false flag.
Lane also faces charges for the attempt to extort the U.S.-based telecommunications company, where they demanded a $200,000 ransom and threatened company executives. Lane has agreed to plead guilty to all four counts and faces a mandatory minimum sentence of two years for identity theft and up to five years on each of the other charges.
Top 10 MITRE ATT&CK Techniques Behind 93% of Attacks
According to an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them. This information can help educational institutions protect themselves from similar threats in the future.
Other Articles
Coinbase data breach exposes customer info and government IDs
Luna Moth extortion hackers pose as IT help desks to breach US firms
Hertz confirms customer info, drivers' licenses stolen in data breach