19-Year-Old Admits to PowerSchool Data Breach Extortion

A 19-year-old college student faces charges after pleading guilty to cyber extortion targeting PowerSchool, exposing data of 60 million+ students & 10 million teachers. Learn about the repercussions of this breach dubbed the largest in US schools’ history.

A 19-year-old college student, Matthew D. Lane from Sterling, Massachusetts, has agreed to plead guilty in a cyber extortion case involving two US companies, including PowerSchool, a major education software provider.

The US Department of Justice (DOJ) announced on May 20 that Lane, a student at Assumption University, is accused of hacking into computer networks and demanding ransom payments.

According to the indictment (PDF), he faces several charges, including cyber extortion conspiracy, unauthorized computer access, and aggravated identity theft.

****PowerSchool Breach****

While the DOJ’s official statement doesn’t name the education software provider, it is understood to be PowerSchool, a widely used platform in schools across the US and Canada, acquired by Bain Capital in October 2024.

PowerSchool first reported unauthorized access to its PowerSource customer support portal on December 28, 2024. This breach exposed data belonging to over 60 million students and 10 million teachers from 6,505 school districts globally. It affected school boards in various Canadian provinces, including Ontario, Saskatchewan, Alberta, Newfoundland and Labrador, etc.

The stolen information was extensive, including full names, addresses, phone numbers, passwords, parent details, Social Security numbers, medical data, and even grades. Initially, PowerSchool did not confirm paying a ransom.

However, as Hackread.com recently reported, the company admitted to the payment in May after the attackers began contacting school districts directly, demanding additional money. PowerSchool stated, “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

****Past Crimes****

It is worth noting that before targeting PowerSchool, Lane and his alleged accomplices attempted to extort a US telecommunications company in 2022. They stole customer data and demanded $200,000 to prevent its public release but this attempt was unsuccessful.

Following this, the group turned their attention to PowerSchool. On December 28, 2024, PowerSchool received a Bitcoin ransom demand for roughly $2.85 million, with threats to publicize the stolen data if payment wasn’t made.

Despite PowerSchool paying a ransom (the exact amount remains unconfirmed) impacted school districts still received further demands, prompting PowerSchool to publicly disclose their payment. These ongoing threats saw hackers directly targeting schools and teachers for more payments, Hackread had reported at the time.

****Facing the Consequences****

Lane has agreed to plead guilty to one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. He faces significant penalties if convicted, including potential prison sentences ranging from two to five years, fines up to $250,000, and supervised release.

Kimberly Milka, Acting Special Agent in Charge of the FBI’s Boston Division, emphasized the FBI’s commitment to holding cyber criminals accountable, stating, “Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access.”

A plea hearing for Lane has not yet been scheduled, and he is considered innocent until proven guilty.