A man from Massachusetts who hacked into the network of educational software provider PowerSchool to steal personal data of millions of students and teachers and extort the company has been sentenced to four years in prison. Matthew Lane, aged 20, received the sentence from U.S. District Judge Margaret Guzman in Worcester, Massachusetts, following his plea of guilt in June to charges linked to hacking activities involving two companies, including PowerSchool based in California.
The breach at PowerSchool in December 2024 exposed sensitive information of over 2.7 million current and former Canadian students, as well as a significant number in the United States. The compromised data included names, birth dates, addresses, emergency contact details, and even social insurance numbers, depending on the records maintained by the school boards.
Various school systems across Canada, such as Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island, and Saskatchewan, primarily utilize the web-based system for managing students’ personal information, grades, medical records, and other related details, with some using it as a communication platform with families.
Judge Guzman also mandated Lane to pay over $14 million US in restitution and imposed a $25,000 fine. In response to the sentencing, a spokesperson for PowerSchool expressed gratitude towards the prosecutors and law enforcement for the successful prosecution of the individual. However, Lane’s attorney did not provide any comment upon request.
Lane, who was a student at Assumption University in Worcester at the time of his initial charges, pleaded guilty in June to charges of cyber extortion, aggravated identity theft, and unauthorized access to protected computers. Prosecutors revealed that in mid-2024, Lane capitalized on a previous data breach at a telecommunications company and, posing as a member of a notorious hacking group, demanded a $200,000 ransom to prevent the leak of the company’s data. Exploiting stolen login credentials, Lane infiltrated PowerSchool’s network, enabling him to steal personal data of students and educators.
Following the breach, PowerSchool received a ransom demand threatening to expose sensitive information of millions of students and teachers unless a $2.85 million bitcoin ransom was paid. The same hacking group Lane claimed to represent during the telecommunications extortion incident was behind this ransom demand. PowerSchool opted to pay the ransom to ensure the deletion of the data and prevent its public disclosure. Subsequently, multiple school boards in Canada received ransom demands utilizing data obtained from the PowerSchool breach.