Massachusetts Hacker to Plead Guilty to PowerSchool Data Breach
A Massachusetts college student has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers. Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester, Massachusetts, related to the hacking of two companies, which were then extorted for ransoms.
The charges marked the first time authorities had identified who was responsible for a data breach at PowerSchool that appeared to expose the data of tens of millions of children. PowerSchool's software is used by more than 18,000 schools to support over 60 million students. Lane is a student at Assumption University in Worcester.
"Instilled fear in parents": U.S. Attorney Leah Foley stated that Matthew Lane's actions "instilled fear in parents that their kids' information had been leaked into the hands of criminals – all to put a notch in his hacking belt." Lane's attorney did not respond to requests for comment.
The PowerSchool Breach
PowerSchool, a Folsom, California-based company, disclosed the breach in January. It stated that it learned of the breach on December 28, 2024, and decided to pay a ransom to prevent data from being made public. The breach exposed sensitive information belonging to over 60 million students and 10 million teachers.
According to prosecutors, Lane used the credentials of a PowerSchool contractor in September to gain access to its network and obtain student and teacher data. In December, he transferred data on students and faculty to a computer server he leased from a cloud storage provider in Ukraine, according to prosecutors.
Days later, PowerSchool received a ransom demand threatening to leak the names, addresses, Social Security numbers, and other sensitive data belonging to more than 60 million students and 10 million teachers unless it paid $2.85 million worth of bitcoin, according to prosecutors.
The Extortion Scam
Prosecutors stated that before hacking PowerSchool, Lane and others conspired to extort an unnamed telecommunications company into paying a $200,000 ransom to avoid the disclosure of data stolen from its network. The scam targeted school districts who use PowerSchool's software.
The Consequences
Lane agreed to plead guilty to engaging in cyber extortion and aggravated identity theft and accessing protected computers without authorization. He faces at least two years in prison for his role in the breach and extortion scheme.
A Growing Concern for Cybersecurity
The PowerSchool breach highlights the growing concern of cybersecurity threats to education institutions. As more schools rely on cloud-based software, the risk of data breaches and cyber attacks increases. It is essential for educators and administrators to take proactive measures to protect student and teacher information.