By Nate Raymond
BOSTON (Reuters) – A Massachusetts man has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers that hackers used to extort the company and school districts into paying ransoms.
Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester, Massachusetts, related to what prosecutors say were hacking schemes by him and others targeting PowerSchool and a telecommunications company designed to extort their victims into paying them in bitcoin.
The charges marked the first time authorities had identified who was responsible for the data breach at PowerSchool, which appeared to expose the data of tens of millions of American children. PowerSchool’s software is used by more than 18,000 schools to support over 60 million students nationally.
Prosecutors did not identify PowerSchool by name in court papers, but a person familiar with the matter confirmed the company was one of the corporate victims. A PowerSchool spokesperson referred questions to the U.S. Attorney’s Office.
Lane’s attorney did not respond to requests for comment.
Folsom, California-based PowerSchool disclosed the breach in January. It has said it learned of it on December 28, 2024 and decided to pay a ransom because it believed it was the best option to prevent data from being made public.
The company said earlier this month it has become aware that multiple school districts have also received extortion demands related to the same data.
According to prosecutors, Lane used the credentials of a PowerSchool contractor in September to gain access to its computer network and obtain student and teacher data.
In December he transferred data on students and faculty to a computer server he leased from a cloud storage provider in Ukraine, according to prosecutors.
Days later, PowerSchool received a ransom demand threatening to leak the names, addresses, Social Security numbers and other sensitive data belonging to more than 60 million students and 10 million teachers unless it paid $2.85 million worth of bitcoin, according to prosecutors.
They said that before hacking PowerSchool, Lane and others conspired to extort an unnamed telecommunications company into paying a $200,000 ransom to avoid the disclosure of data stolen from its network.
He agreed to plead guilty to engaging in cyber extortion and aggravated identity theft and accessing protected computers without authorization. He faces at least two years in prison.
(Reporting by Nate Raymond in Boston; additional reporting by AJ Vicens in Detroit; Editing by Alexia Garamfalvi and Richard Chang)
Comments