PowerSchool Hacker Sentenced to 4 Years in Prison
▼ Summary
– Matthew D. Lane, a 19-year-old from Massachusetts, was sentenced to 4 years in prison for orchestrating a cyberattack on PowerSchool in December 2024 that caused a massive data breach.
– He pleaded guilty to four federal charges, including unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion, and aggravated identity theft.
– Lane and accomplices used stolen credentials to breach PowerSchool’s systems, downloading personal data of 9.5 million teachers and 62.4 million students from 6,505 school districts worldwide.
– They sent ransom demands for $2.85 million in Bitcoin, claiming to be from the Shiny Hunters threat group, and attempted additional extortion even after PowerSchool paid a ransom.
– PowerSchool faced a lawsuit from Texas Attorney General Ken Paxton for failing to protect data and misleading customers about its security practices.
A college student from Massachusetts has received a four-year prison sentence for masterminding a significant cyberattack against PowerSchool, a leading provider of cloud-based software for K-12 education. This 2024 security breach compromised the personal information of tens of millions of students and teachers globally, highlighting critical vulnerabilities in educational technology infrastructure.
Matthew D. Lane, a 19-year-old from Worcester, was sentenced by U.S. District Judge Margaret R. Guzman. The court also mandated that he pay $14 million in restitution along with a $25,000 fine. Lane had previously entered a guilty plea in May 2025 to four federal charges, which included unauthorized access to protected computers, conspiracy to commit cyber extortion, cyber extortion itself, and aggravated identity theft.
According to the U.S. Department of Justice, Lane and his associates gained access to PowerSchool’s systems by using login credentials stolen from a subcontractor. On December 19, 2024, they infiltrated the PowerSource customer support portal and a maintenance tool. Through these points of entry, they successfully downloaded databases containing highly sensitive information belonging to 9.5 million teachers and 62.4 million students from 6,505 school districts around the world.
The stolen data was extensive, covering full names, home addresses, phone numbers, passwords, parent contact details, Social Security numbers, and confidential medical records. After exfiltrating this information, the hackers sent ransom demands on December 28, asking for $2.85 million in Bitcoin to prevent the public release of the data. The ransom letters were attributed to Shiny Hunters, a well-known cybercriminal group associated with several other major data breaches, including the 2022 AT&T incident.
Although PowerSchool confirmed it made a payment to the hackers, the exact amount remains undisclosed. Despite receiving this payment, Lane and his co-conspirators allegedly proceeded to contact individual school districts, attempting to extort additional payments by threatening to leak student data specific to those districts.
An investigation later revealed that the PowerSource portal had been breached on two prior occasions in August and September of 2024, using the same compromised credentials. A forensic analysis conducted by CrowdStrike, however, did not find conclusive evidence linking the same attacker to all three separate security incidents.
In the aftermath of the breach, PowerSchool is also facing legal repercussions. Last month, Texas Attorney General Ken Paxton filed a lawsuit against the company, accusing it of failing to adequately protect the data of Texas families and school districts. The lawsuit further alleges that PowerSchool misled its customers regarding the robustness of its security protocols.
(Source: Bleeping Computer)