A Massachusetts man has been sentenced to four years in prison after breaching the network of educational software provider PowerSchool to steal sensitive data from millions of students and teachers, and subsequently extorting the company. Matthew Lane, 20, received the sentence from U.S. District Judge Margaret Guzman in Worcester, Massachusetts. He had pleaded guilty in June to charges including cyber extortion, aggravated identity theft, and unauthorized access to protected computers.
The breach affected over 60 million students and around 10 million teachers nationwide, exposing personal data, including names, addresses, and Social Security numbers. This significant incident occurred in December prior to PowerSchool’s public disclosure of the breach. Judge Guzman also ordered Lane to pay more than $14 million in restitution, alongside a $25,000 fine.
A spokesperson for PowerSchool expressed appreciation for the efforts of law enforcement in bringing Lane to justice. At the time of his arrest, Lane was a student at Assumption University in Worcester. Prosecutors detailed that in mid-2024, Lane exploited an earlier breach at a telecommunications firm, impersonating a member of a notorious hacking group to demand a $200,000 ransom to prevent the release of their data.
Following his unlawful access to PowerSchool’s network using stolen login information, Lane issued a ransom demand demanding $2.85 million in bitcoin to prevent the public release of the stolen data, a threat that led PowerSchool to make the difficult decision to pay the ransom to protect the sensitive information.
This case highlights the increasing prevalence of cybercrime in the education sector and the serious consequences that can arise from such malicious activities. The judicial action taken against Lane not only serves to hold him accountable for his actions but also emphasizes the importance of safeguarding sensitive data within educational institutions. As the digital landscape evolves, continued vigilance is crucial to preventing similar breaches and ensuring the protection of personal information belonging to students and educators alike.