A 19-year-old student from Worcester, Massachusetts, has agreed to plead guilty to multiple federal cybercrime charges. The Department of Justice confirmed that Matthew D. Lane faces four counts including cyber extortion, conspiracy, unauthorized computer access, and identity theft. Lane and his co-conspirators breached a U.S. telecom company in 2022 to steal confidential customer information. They also obtained credentials belonging to an employee who worked for PowerSchool through that telecom firm. After failing to extort the telecom company, they shifted focus to targeting an educational software firm for ransom. DOJ documents show that Lane encouraged further hacking of companies likely to pay. His messages revealed a calculated plan to resell stolen data if demands were ignored. The Justice Department alleges these actions were intended to monetize stolen data at the expense of major institutions.
Sources confirmed the targeted education company was PowerSchool, a major school management software provider used globally.
Using stolen contractor credentials, attackers breached PowerSchool in December 2024 and accessed their internal support platform. They deployed a maintenance tool to download vast databases of sensitive school data. This included records for over 62.4 million students and 9.5 million teachers. The data came from 6,505 school districts in the United States, Canada, and other countries. Compromised details included full names, addresses, phone numbers, and Social Security numbers. In many cases, academic grades, medical records, passwords, and parent contact information were also stolen. On December 28, 2024, PowerSchool received a ransom demand of $2.85 million in Bitcoin.
Threats warned of a worldwide leak of all student and faculty data.
While PowerSchool reportedly paid the ransom, follow-up extortion attempts targeted individual school districts. These secondary attacks pressured districts to make separate ransom payments under threat of exposing local data. Many of these follow-up ransom demands claimed to originate from the hacking group Shiny Hunters. Shiny Hunters has been linked to other major breaches, including the AT&T attack affecting 109 million people. They were also reportedly involved in the recent Snowflake-related data thefts. Although some members of Shiny Hunters have been arrested, others may still be active or inspiring imitators. Experts suggest that these follow-up demands may come from other actors posing as the original group. The overlapping nature of these attacks highlights the scale and sophistication of modern cyber extortion campaigns. Schools and tech companies remain popular and vulnerable targets for threat actors worldwide.
In addition to the PowerSchool breach, Lane is charged for trying to extort the telecom company first. Prosecutors say Lane demanded $200,000 in ransom and threatened executives when the demand went unpaid. He used aggressive tactics in both cases, combining data theft with financial threats. The DOJ now holds him accountable for causing widespread harm to millions of individuals. As part of a plea agreement, Lane has accepted responsibility for all four counts brought against him. He faces a mandatory two-year sentence for identity theft under federal guidelines. Each remaining charge carries up to five years in prison if sentences are served consecutively. The case represents one of the largest educational data breaches linked to an American citizen. The outcome may shape how cybercriminals are prosecuted in future data extortion cases involving schools.
Reference:
