Alleged Hacker Behind Largest US Children's Data Breach Agrees to Plead Guilty

A shocking turn of events has unfolded in the world of cybersecurity as Matthew Lane, 19, a Massachusetts man, has agreed to plead guilty to hacking into one of the top education tech companies in the United States and stealing tens of millions of schoolchildren's personal information for profit. The alleged hacker's plea deal comes after a major breach at PowerSchool, an educational technology company that provides software programs to help schools manage students, data, and educational programming.

According to court documents published on Tuesday, Lane signed a plea agreement related to charges connected to the hacking incident last year, as well as another company. While the documents refer to the education company only as "Victim-2" and the US attorney's office declined to name the victim, a person familiar with the matter told NBC News that it is PowerSchool.

The hack of PowerSchool is believed to be the largest breach of American children's sensitive data to date. The incident occurred when Lane obtained information from a protected computer by trying an employee's stolen username and password combination, echoing a private third-party assessment of the incident previously reported by NBC News.

The Rise of Remote Learning and Digitalized Student Information

Companies like PowerSchool have grown in recent years, especially during the Covid pandemic, when many schools shifted to remote learning. Cybersecurity experts have warned that as student information becomes increasingly digitized, it becomes more of a target for criminal hackers and identity thieves.

The breach at PowerSchool was discovered last December when the company realized someone had broken into a customer database and downloaded the personal information – including names, addresses, birthdays, and in some cases, Social Security numbers and medical information – of 62 million kids. The hackers then sent extortion demands for about $2.85 million in bitcoin.

A Complicated Web of Cybercrime

However, the situation became even more complicated when it was revealed that cybercriminals had been sending extortion emails to schools in Canada and North Carolina proving they have the data. PowerSchool stated in a statement on May 7 that "we do not believe this is a new incident, as samples of data match the data previously stolen in December."

"We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors," PowerSchool said. According to the complaint, Lane was responsible for hacking into PowerSchool, though it doesn't make clear whether he or another person or group was responsible for the extortion efforts.

The complaint cites an unnamed co-conspirator of Lane's and other unnamed cybercriminals who worked together to hack and extort another company. As one journalist covering cybersecurity, privacy, and technology policy for NBC News noted, this case highlights the ever-evolving nature of cybercrime and the importance of robust cybersecurity measures.