Boston: A 19-year-old college student from Massachusetts has agreed to plead guilty to hacking into the systems of PowerSchool, a widely used cloud-based education software provider, in a breach that compromised the personal data of millions of students and teachers across the United States.
Federal prosecutors in Worcester, Massachusetts, announced that Matthew Lane, a student at Assumption University, had entered into a plea agreement to resolve charges related to cyber intrusions targeting two companies. Although the court filings did not name the victims, a person familiar with the case confirmed that PowerSchool was one of them.
The breach, which PowerSchool disclosed in January, exposed sensitive data including names, addresses, Social Security numbers, and other identifying information of more than 60 million students and 10 million teachers. The platform is used by over 18,000 schools nationwide.
According to the U.S. Department of Justice, Lane accessed PowerSchool’s network in September 2024 using login credentials belonging to one of its contractors. He later transferred the stolen data to a server rented from a Ukrainian cloud storage provider. In late December, PowerSchool received a ransom demand threatening to publicly release the stolen information unless $2.85 million in bitcoin was paid.
“[His actions] instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt,” said U.S. Attorney Leah Foley.
Lane’s attorney did not respond to requests for comment.
Also Read | U.S. Judge Says Deportations to South Sudan May Violate Court Order
This is the first time law enforcement has publicly identified a suspect behind the PowerSchool breach. The case underscores growing concerns about the vulnerability of educational institutions to cyberattacks and the increasing frequency of ransomware targeting schools.
PowerSchool reported learning of the breach on December 28, 2024, and decided to pay a ransom to prevent the data from being released. The company later disclosed that other school districts also received similar extortion demands tied to the same stolen data.
Also Read | Rio Tinto Gets Green Light for $2.5B Lithium Venture in Argentina
Before the PowerSchool breach, Lane and unnamed co-conspirators were involved in a separate extortion scheme against a telecommunications company, demanding $200,000 in exchange for not releasing stolen data.
Lane has agreed to plead guilty to charges of cyber extortion, aggravated identity theft, and unauthorized access to protected computers. He faces a mandatory minimum sentence of two years in federal prison.
