Cybercriminal Pleads Guilty After Student Data Theft Led to PowerSchool Extortion

19-year-old Massachusetts student admits to allegations he extorted millions of dollars from PowerSchool by threatening to leak stolen student and teacher data.

PowerSchool hacker pleads guilty

A Massachusetts college student has admitted to allegations that he orchestrated a major cyberattack that compromised data from millions of students and teachers.

19-year-old Matthew D. Lane has agreed to plead guilty to four federal charges, including identity theft and cyber extortion, for his alleged instrumental role in the PowerSchool breach and a related extortion campaign.

Telecom company hack led to PowerSchool fiasco

According to the US Department of Justice (DoJ), Lane and his accomplices initially infiltrated a telecommunications company in 2022, stealing customer data and login credentials.

The breach also granted the perpetrators access details for a contractor linked to PowerSchool, an education technology company used by school districts across North America.

Credentials weaponized for catastrophic breach

The attackers weaponized the stolen credentials to gain access to PowerSchool in December 2024, reportedly exploiting internal support tools to steal confidential data.

The threat actors downloaded sensitive records of more than 62 million students and 9.5 million teachers from more than 6,500 school districts.

Stolen information included names, home addresses, contact information, Social Security Numbers (SSNs), grades, and even medical data, varying by district. Shortly afterward, threat actors demanded a $2.85 million ransom from PowerSchool, threatening to leak the data globally if payment wasn’t made.

Persuasion attempts after alleged ransom payment

Although PowerSchool is believed to have paid at least part of the ransom, attackers continued to coerce individual school districts for additional payments. These follow-up demands were allegedly signed by “Shiny Hunters,” a threat group linked to several major breaches.

In addition to the PowerSchool-related charges, Lane also faces charges in relation to the earlier telecom breach, where he is accused of demanding $200,000 and issued threats against executives. He now faces a mandatory minimum of two years in prison for identity theft and potential five-year sentences for each of the other three charges.

Being prepared for data breaches

Dedicated software like Bitdefender Digital Identity Protection can help you prepare for the fallout of data breaches.

It constantly monitors your online data, continuously scans both the public and Dark Web, notifies you if you have been compromised by a breach, and helps you patch weak spots in your digital footprint with quick, 1-click action items.