DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Massachusetts hacker to plead guilty to PowerSchool data breach (1)

Posted on May 20, 2025May 21, 2025 by Dissent

Nate Raymond reports:

A Massachusetts man has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers that hackers used to extort the company and school districts into paying ransoms.

Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester, Massachusetts, related to what prosecutors say were hacking schemes by him and others targeting PowerSchool and a telecommunications company designed to extort their victims into paying them in bitcoin.

The charges marked the first time authorities had identified who was responsible for the data breach at PowerSchool, which appeared to expose the data of tens of millions of American children.

Read more from Reuters at Investing.com.

Press Release from U.S. Attorney’s Office, District of Massachusetts:

BOSTON – A student at Assumption University in Worcester, Mass., has been charged, and has agreed to plead guilty, in connection with hacking into the computer networks of two U.S.-based companies and extorting the companies for ransoms.

Matthew D. Lane, 19, of Sterling, Mass., has agreed to plead guilty to one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft. A plea hearing has not yet been scheduled by the Court.

“Cyber extortion is a serious attack on our economy and on all of us. As alleged, this defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt. The alleged ransoms that this defendant and others like him demand hurt victim companies and their innocent customers whose data the companies are entrusted to hold,” said United States Attorney Leah B. Foley.

“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data,” said Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law.”

According to court filings, between April 2024 and May 2024, Lane agreed with others to extort a $200,000 ransom payment from a telecommunications company by threatening to publicly disseminate customer data that had previously been stolen from the company’s computer network. When the victim company questioned whether a ransom payment would in fact end the threat of its customer data being leaked, Lane allegedly responded, “We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked.”

It is further alleged that Lane used stolen login credentials to access the computer network of a second victim company – a software and cloud storage company that served school systems in the United States, Canada and elsewhere. Lane allegedly caused personally identifying information (PII) of students and teachers stored on that company’s networks to be transferred to a computer server that Lane leased in Ukraine.

Later, the second victim company and others received threats that the PII of more than 60 million students and 10 million teachers – including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords, among other data – would be “leak[ed] . . . worldwide” if the company did not pay a ransom of approximately $2.85 million in Bitcoin.

Members of the public who have questions or concerns as to whether a particular student and/or teacher’s information was compromised should contact their local school district.

The charges of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers each provide for a sentence of up to five years in prison, three years of supervised release and a fine of up to $250,000, or twice the gross gain or loss, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison, consecutive to any sentence imposed on the computer fraud charges. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.

U.S. Attorney Foley and FBI Acting SAC Milka made the announcement today. Valuable assistance was provided by the Assumption University Police Department. Assistant U.S. Attorney Kristen A. Kearney of the Securities, Financial & Cyber Fraud Unit is prosecuting the case.

The details contained in the charging document are allegations. The defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Updated May 20, 2025

Attachments

US v. Matthew Lane – Information [PDF, 198 KB]
US v. Matthew Lane – Plea Agreement [PDF, 4 MB]
Update 1:  DataBreaches emailed the media contact for the Massachusetts USAO to ask why Lane’s sentencing guidelines included enhancements for “Special skills” and the use of “sophisticated means because there was nothing in the court filings that really sounded sophisticated or requiring special skills. The USAMA replied:
The only information we can provide is that publicly available in the court filings – which are linked in the press release. Apart from that we have no comment. Thank you.

 

Category: Education SectorHackOf Note

Post navigation

← Cyberattack brings down Kettering Health phone lines, MyChart patient portal access (1)
Hacker who breached communications app used by Trump aide stole data from across US government →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Trump Rewrites Cybersecurity Policy in Executive Order
  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit
  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.