U.S. college student pleads guilty in data breach that affected North American schools
A Massachusetts college student, Matthew Lane, has reached an agreement to plead guilty to charges related to hacking cloud-based education software provider PowerSchool and stealing data of millions of North American students and teachers. This data was then used by hackers to extort both the company and various school districts for ransom payments.
Lane, who is 19 years old and a student at Assumption University in Worcester, entered into a plea deal on Tuesday to resolve the federal charges filed against him in Worcester, Mass. While court documents did not explicitly name PowerSchool as one of the affected companies, sources familiar with the case confirmed that it was indeed one of the victims.
This incident marks the first time that authorities have identified the perpetrator behind the data breach at PowerSchool, which potentially exposed the personal information of tens of millions of children. PowerSchool’s software is widely used by more than 18,000 schools to support over 60 million students across North America.
The breach also impacted several school boards in Canada, including those in Ontario, Saskatchewan, Alberta, Newfoundland and Labrador, Nova Scotia, Prince Edward Island, Manitoba, and the Northwest Territories.
U.S. Attorney Leah Foley condemned Lane’s actions, stating that they caused fear among parents who were concerned about their children’s information falling into the hands of criminals. Foley described Lane’s actions as an attempt to boost his reputation as a hacker.
PowerSchool first disclosed the breach in January after discovering it on December 28, 2024. The company decided to pay a ransom to prevent the leaked data from becoming public. Subsequently, multiple school districts also received extortion demands related to the same stolen data.
According to prosecutors, Lane used the credentials of a PowerSchool contractor in September to gain unauthorized access to the network and extract student and teacher data. In December, he transferred this stolen data to a server he had leased from a cloud storage provider in Ukraine.
Shortly after, PowerSchool received a ransom demand threatening to expose the sensitive data of more than 60 million students and 10 million teachers unless a ransom of $2.85 million US worth of bitcoin was paid. Prior to targeting PowerSchool, Lane and his associates had also extorted a telecommunications company for a $200,000 US ransom to prevent the disclosure of stolen data from its network.
As part of his plea deal, Lane agreed to plead guilty to charges of cyber extortion, aggravated identity theft, and unauthorized access to protected computers. He faces a minimum of two years in prison for his actions.
