A Massachusetts college student has been sentenced to four years in prison for his role in hacking and extorting millions of dollars from two companies, one of which was identified as PowerSchool. Matthew D. Lane pleaded guilty in May to hacking the networks of a telecommunications company and a school software provider. He then extorted approximately $3 million from them. In addition to his prison sentence, Lane was also ordered to pay $14 million in restitution and a $25,000 fine.
According to court documents, from April to May of 2024, Lane and his co-conspirators extorted $200,000 from the telecommunications company. They threatened to leak customer data stolen in a 2022 breach. He was also charged with accessing the network of a company that offers software and cloud storage to schools in the U.S. and Canada. This second hack occurred in September 2024, with a second breach in December, when he stole information on students and teachers.
The hackers accessed a wide range of sensitive data, including names, addresses, dates of birth, Social Security numbers, medical information, and phone numbers. They then demanded a ransom of $2.85 million in Bitcoin to prevent the information from being leaked. Although the second victim company was not officially named in court, the details of the attack align with a known hack on PowerSchool, which is estimated to have affected nearly 70 million people.
PowerSchool confirmed in May that it paid the ransom to prevent the data from being leaked and to ensure it was deleted. However, the attackers did not delete the information and instead began extorting individual school districts in the U.S. and Canada. Documents show that Lane returned about $160,000 of the stolen funds, but the majority of the $3 million remains unaccounted for.
Lane’s sentence includes four years in federal prison and three years of supervised release. This case highlights the severe consequences of cybercrime and the long-lasting impact these crimes have on both companies and individuals.
Reference:
