19-Year-Old Student Pledges Guilty to Massive School Database Hack
A 19-year-old college student, Matthew Lane of Massachusetts, has agreed to plead guilty to four counts related to a massive hack against PowerSchool, a popular student information system used by schools across the country. The Department of Justice announced the plea deal on Tuesday, citing charges of cyber extortion, unauthorized access to protected computers, and aggravated identity theft.
The details outlined in the DOJ's press release match the attack described by PowerSchool earlier this year. In January, PowerSchool revealed that it had fallen victim to a data breach involving the "unauthorized exfiltration of certain personal information" from its customer support portal, known as PowerSource. The company later acknowledged paying a $2.85 million ransom in an attempt to keep the attacker from releasing the stolen data.
However, PowerSchool customers received additional threats to expose the stolen data after the ransom was paid. "As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us," PowerSchool said in a statement.
The DOJ accuses Lane of using stolen login credentials to break into PowerSchool's system and transfer the personal information of millions of students and teachers to a computer server in Ukraine. The agency has also charged Lane with breaching and extorting another unnamed US-based telecom company.
"As alleged, this defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids' information had been leaked into the hands of criminals — all to put a notch in his hacking belt," said US Attorney Leah Foley in a press release.
The case highlights the growing threat of cyber attacks against schools and educational institutions. As technology continues to advance, it is becoming increasingly important for organizations to prioritize cybersecurity measures to protect sensitive student data.