Nate Raymond reports:
A Massachusetts man has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers that hackers used to extort the company and school districts into paying ransoms.
Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester, Massachusetts, related to what prosecutors say were hacking schemes by him and others targeting PowerSchool and a telecommunications company designed to extort their victims into paying them in bitcoin.
The charges marked the first time authorities had identified who was responsible for the data breach at PowerSchool, which appeared to expose the data of tens of millions of American children.
Read more from Reuters at Investing.com.
Press Release from U.S. Attorney’s Office, District of Massachusetts:
BOSTON – A student at Assumption University in Worcester, Mass., has been charged, and has agreed to plead guilty, in connection with hacking into the computer networks of two U.S.-based companies and extorting the companies for ransoms.
Matthew D. Lane, 19, of Sterling, Mass., has agreed to plead guilty to one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft. A plea hearing has not yet been scheduled by the Court.
“Cyber extortion is a serious attack on our economy and on all of us. As alleged, this defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt. The alleged ransoms that this defendant and others like him demand hurt victim companies and their innocent customers whose data the companies are entrusted to hold,” said United States Attorney Leah B. Foley.
“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data,” said Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law.”
According to court filings, between April 2024 and May 2024, Lane agreed with others to extort a $200,000 ransom payment from a telecommunications company by threatening to publicly disseminate customer data that had previously been stolen from the company’s computer network. When the victim company questioned whether a ransom payment would in fact end the threat of its customer data being leaked, Lane allegedly responded, “We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked.”
It is further alleged that Lane used stolen login credentials to access the computer network of a second victim company – a software and cloud storage company that served school systems in the United States, Canada and elsewhere. Lane allegedly caused personally identifying information (PII) of students and teachers stored on that company’s networks to be transferred to a computer server that Lane leased in Ukraine.
Later, the second victim company and others received threats that the PII of more than 60 million students and 10 million teachers – including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords, among other data – would be “leak[ed] . . . worldwide” if the company did not pay a ransom of approximately $2.85 million in Bitcoin.
Members of the public who have questions or concerns as to whether a particular student and/or teacher’s information was compromised should contact their local school district.
The charges of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers each provide for a sentence of up to five years in prison, three years of supervised release and a fine of up to $250,000, or twice the gross gain or loss, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison, consecutive to any sentence imposed on the computer fraud charges. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
U.S. Attorney Foley and FBI Acting SAC Milka made the announcement today. Valuable assistance was provided by the Assumption University Police Department. Assistant U.S. Attorney Kristen A. Kearney of the Securities, Financial & Cyber Fraud Unit is prosecuting the case.
The details contained in the charging document are allegations. The defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.