A Massachusetts college student, Matthew Lane, 19, has pleaded guilty to federal charges related to a significant data breach at PowerSchool, a company that manages data for millions of students and teachers worldwide. The breach potentially exposed the private information of millions of North Carolina teachers, students, and parents. Lane, from Worcester County, Massachusetts, entered a plea deal with federal prosecutors on Tuesday, admitting to charges including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.
The data breach, which occurred in September 2024, was tied to Lane’s hacking of PowerSchool’s system. According to prosecutors, Lane and his co-conspirators stole data from PowerSchool and demanded a ransom of about $2.85 million in bitcoin, threatening to release the data of approximately 60 million students and 10 million teachers worldwide if their demands were not met. PowerSchool reportedly paid a ransom to the hackers and watched as the data was deleted via video, expressing confidence that the data would not be leaked.
However, days after a report by WRAL this month, some North Carolina school employees began receiving threatening messages from someone claiming to have the stolen data and demanding bitcoin to keep it secure. Students and staff affected by the breach have until July 31 to enroll in free identity protection and credit monitoring, courtesy of PowerSchool.
The investigation into the data breach is ongoing, with North Carolina Attorney General Jeff Jackson stating that his office will continue to investigate PowerSchool’s role in the incident. “This hacker compromised the personal data of millions of people in our state and I’m glad to see he is being brought to justice,” Jackson said. “My office will continue its investigation into PowerSchool’s role in this event.”
Lane’s actions were not limited to PowerSchool. He also hacked into a telecommunications company in May 2024, stealing data and demanding $200,000 in bitcoin. When the company refused to pay, Lane reduced his demand to $75,000 before deciding to target another company that would be more willing to pay.
Lane faces up to 17 years in prison and potential fines or forfeiture, with prosecutors recommending at least $161,000 in forfeitures. His guilty pleas were related to two cyber extortion charges, unauthorized access to a company’s network, and using a contractor’s credentials to access that network.
