A 19-year-old Massachusetts student, Matthew D. Lane, has agreed to plead guilty to federal charges related to the hacking and extortion of two U.S.-based companies, one of which is believed to be education software provider PowerSchool. The plea agreement follows a federal investigation into a series of cyber intrusions and ransom demands that compromised sensitive data of millions of individuals.
Telecom Hack and Extortion
According to the indictment unsealed by the U.S. Department of Justice, Lane initially targeted a telecommunications company in October 2022. Using unauthorized access, he stole confidential customer data and, along with unnamed co-conspirators, later demanded a $200,000 ransom under the threat of leaking the stolen information. The indictment states that Lane claimed to possess the only copy of the data, pressuring the company into payment.
Breach of Education Technology Provider
The second, more extensive breach occurred in September 2024 when Lane allegedly accessed a company’s network using stolen employee credentials. The company, which serves school districts across the United States and Canada, had personal data belonging to millions of students and teachers. The indictment notes that names, addresses, Social Security numbers, medical records, and other sensitive information were exfiltrated and transferred to a server leased by Lane in Ukraine.
On December 28, 2024, the company received a ransom demand of approximately $2.85 million in Bitcoin, threatening to release the data of over 60 million students and more than 10 million educators unless the ransom was paid.
Although the indictment does not name the affected education company, the scale and nature of the breach closely match details made public about the PowerSchool hack that came to light in January 2025. PowerSchool, a California-based K–12 education technology firm, confirmed in January that personally identifiable information (PII) had been stolen from its Student Information System (SIS).
PowerSchool Investigation and Fallout
In March, cybersecurity firm CrowdStrike published its findings on the breach, reporting that hackers exploited credentials for a maintenance account to access PowerSchool’s SIS via the PowerSource support portal. The initial breach occurred between August and September 2024, with data exfiltration continuing between December 19 and December 28.
While PowerSchool has not officially confirmed whether a ransom was paid, multiple reports suggest the company may have paid to prevent the stolen information from being publicly leaked. However, in May, the Toronto District School Board (TDSB) reported that an unidentified threat actor had begun contacting school districts across North America, demanding additional ransoms and claiming to possess the stolen data.
Ongoing Legal Proceedings
The U.S. Department of Justice has stated that anyone concerned about whether their personal data was compromised should contact their local school district.
Lane’s plea agreement includes admissions to both hacking incidents and related extortion attempts. While a sentencing date has not yet been set, Lane faces a possible prison sentence and fines totaling hundreds of thousands of dollars.
The case underscores ongoing concerns about cybersecurity vulnerabilities in both public and private sectors, particularly in education, where vast amounts of sensitive data are stored across widely used digital platforms.
