**US Teen to Plead Guilty in PowerSchool Extortion Campaign**
A shocking case of cyber extortion has come to light, as a 19-year-old college student from Massachusetts has agreed to plead guilty to a large-scale scheme targeting the popular education software provider, PowerSchool.
The US Department of Justice (DOJ) recently published an official document detailing Matthew D. Lane's alleged crimes, which have sent shockwaves through the cybersecurity community. According to the document, Lane, a student at Assumption University in Worcester and a resident of Sterling, Massachusetts, has been accused of hacking into the computer networks of two US-based companies and extorting them for ransoms.
The alleged scheme began in 2022, when Lane and his associates compromised a US telecommunications company, resulting in the theft of sensitive customer data. The breach also yielded login credentials for PowerSchool, which were associated with a contractor who worked with the education company. Over the next two years, Lane agreed with others to extort a $200,000 ransom payment from the telecommunications company by threatening to publicly disseminate customer data that had previously been stolen from the company's computer network.
Following an unsuccessful extortion attempt against the telecom firm, Lane and his co-conspirators targeted PowerSchool, demanding a ransom in exchange for not releasing the stolen data. The DOJ alleges that PowerSchool was sent a Bitcoin ransom demand worth approximately $2.85m on December 28, 2024. The demand threatened that if the payment were not made, the stolen data would be made public globally.
PowerSchool is a widely used education software provider in the US and Canada, acquired by private investment firm Bain Capital in October 2024. In January 2025, PowerSchool revealed that a malicious actor gained unauthorized access to certain information through one of its community-focused customer support portals, PowerSource, on December 28, 2024. The affected databases held personal data of over 60 million students and 10 million teachers from 6,505 school districts globally.
It is reported that the company paid a ransom to prevent attackers from releasing the stolen data of students and teachers. A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: “PowerSchool confirmed that this was not a ransomware attack, but it did pay a ransom to prevent the data from being released.”
While PowerSchool first declined to confirm that it had paid to news outlets, including Infosecurity, it admitted to the payment in May after the threat actor contacted multiple school district customers in a new attempt to extort them using data from the December 2024 incident. “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the company wrote in the update dated May 7.
The DOJ public statement and the court document about Lane's charges do not explicitly mention PowerSchool, instead referring to it as “an education software provider.” However, news outlet BleepingComputer said it could confirm it was PowerSchool that Lane and his co-conspirators managed to gain unauthorized access to.
According to the DOJ, if convicted, Lane faces significant penalties. The charges carry potential sentences ranging from two to five years in prison, fines of up to $250,000, and supervised release. The exact sentence will be determined by a federal judge based on US Sentencing Guidelines and relevant laws.
Kimberly Milka, Acting Special Agent in Charge of the FBI's Boston Division, stated: “Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data.”
“This alleged scheme has resulted in serious consequences and highlights the FBI's ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law,” she added.
The charges outlined are allegations, and the defendant is considered innocent until proven guilty in a court of law. A plea hearing has yet to be scheduled.