A Massachusetts student, Matthew D. Lane, 19, is set to plead guilty to federal charges linked to hacking and extorting a major U.S. education tech company. Lane reportedly used stolen login credentials to breach the network of an unnamed software firm providing services to schools throughout North America and beyond. The breach resulted in the theft of personal data from over 60 million students and 10 million teachers, including sensitive information like names, addresses, phone numbers, Social Security numbers, medical records, and academic grades. The hackers even managed to get their hands on decades worth of historical student data.
The software company in question was not explicitly named, but federal prosecutors provided specific details aligning with a data breach at PowerSchool, an education software maker that disclosed being hacked as far back as August and September 2024. Schools primarily in the U.S. and Canada, using PowerSchool’s software for managing student information, were impacted by the breach. Lane allegedly collaborated with an unidentified co-conspirator from Illinois to extort around $2.85 million in cryptocurrency from PowerSchool. Despite PowerSchool admitting to paying the hackers to erase the stolen data, several school districts reported receiving extortion demands, claiming the data had not been deleted. An investigation revealed that these attempts were linked to the previously stolen data in December, not to a new breach.
Lane is also accused of hacking and extorting a U.S. telecoms provider, although the company remains unnamed in the plea agreement. Lane’s lawyer, Sean Smith, has not provided any comments on the matter. The U.S. Attorney’s Office for Massachusetts declined to disclose the identities of the victims involved in the case. PowerSchool spokesperson Beth Keebler acknowledged being aware of the court filing but deferred further comments to the U.S. Attorney’s Office. Keebler did not contest the ransom amount mentioned by prosecutors.
As the situation continues to unfold, it remains unclear how Lane and his accomplice managed to breach the systems and steal such vast amounts of sensitive data. The implications of this cybercrime extend beyond just financial losses, with the privacy and security of millions of students and teachers compromised. The fact that Lane was able to carry out these attacks with seemingly little resistance raises questions about the overall cybersecurity measures in place at these educational institutions and tech companies. It’s a stark reminder of the constant threat posed by malicious actors in the digital age, highlighting the critical need for robust cybersecurity protocols to safeguard personal information from falling into the wrong hands.
