A 19-year-old college student from Worcester, Massachusetts, has pleaded guilty to a large-scale cyberattack and extortion scheme targeting PowerSchool, an education technology company used by thousands of school districts across North America. According to the U.S. Department of Justice, Matthew D. Lane admitted to four federal charges, including conspiracy to commit cyber extortion, unauthorized access to protected computers, and aggravated identity theft.
Court records show that Lane and co-conspirators first breached a U.S.-based telecommunications company in 2022, stealing sensitive customer data. During that attack, they also obtained credentials belonging to an employee of a PowerSchool contractor, which were later used to access PowerSchool’s systems. By December 2024, Lane and his associates had compromised PowerSchool’s support platform, PowerSource, and exfiltrated databases containing the personal data of over 71 million students and teachers.
“On or about May 14, 2024, LANE messaged CC-1 that if Victim 1 did not pay the ransom, LANE and CC-1 could sell the Stolen Victim 1 Data,” the DOJ complaint states.
“LANE further suggested, ‘we need to hack another… company that[’]ll pay.’”
While the DOJ complaint stops short of naming PowerSchool, sources confirmed to BleepingComputer that the company referenced in the complaint is indeed PowerSchool.
The stolen PowerSchool data, extracted using a maintenance tool, affected 6,505 school districts across the U.S., Canada, and other countries. The breach exposed names, addresses, phone numbers, grades, medical information, Social Security numbers, and even parent contact details, depending on the district.
“This breach involved 62.4 million students and 9.5 million teachers,” according to BleepingComputer’s earlier reporting. “The stolen data posed a severe threat to student privacy and school security infrastructure.”
On December 28, 2024, PowerSchool received a ransom demand of approximately $2.85 million in Bitcoin, with the threat that the data would be leaked globally if payment was not made. While PowerSchool reportedly paid the ransom, the attackers did not stop there. Threat actors went on to contact individual school districts, attempting to extort additional payments under the threat of publishing sensitive student data.
These extortion demands claimed to originate from the notorious hacking group ShinyHunters, linked to previous high-profile breaches including the SnowFlake cyberattacks and the 2022 AT&T breach that exposed data on 109 million people. Despite multiple arrests of individuals tied to these incidents, federal authorities believe other actors or impersonators may still be operating under the ShinyHunters name.
In addition to the PowerSchool cyberattack, Lane also admitted to attempting to extort the telecommunications company, demanding a $200,000 ransom and issuing direct threats against company executives.
Lane’s guilty plea carries a mandatory minimum sentence of two years for the identity theft charge and up to five years for each of the remaining charges. The case marks one of the most significant examples of student data extortion in recent years and highlights the increasing vulnerability of the education sector to cybercrime.
