US College Student to Plead Guilty to Involvement in Recent PowerSchool Data Breach
Published on May 21, 2025
- An American college student was linked to hacking and exfiltrating data from PowerSchool in December.
- The individual entered a plea deal admitting to cyber extortion and aggravated identity theft.
- Besides, a minimum of $250,000 is to be paid as fine or twice the gross gain or loss.
A Massachusetts college student pleaded guilty to involvement in the cyberattack on PowerSchool, a leading cloud-based education management software provider and a platform that supports over 60 million students and thousands of schools globally
Matthew Lane, 19, entered a plea deal and admitted in federal court to cyber extortion, aggravated identity theft, and unauthorized computer access. Lane now faces a minimum of two years' imprisonment and a hefty fine of at least $250,000.
Prosecutors revealed that Lane gained entry to PowerSchool’s network in September by exploiting compromised contractor credentials, according to Reuters.
Notably, Lane’s activities were not limited to this incident. The Worcester Assumption University student and unnamed co-conspirators also extorted a telecommunications firm for $200,000 using similar tactics, demonstrating a concerning trend of ransomware and multi-company attacks enabled by credential misuse.
Once inside, he exfiltrated vast amounts of sensitive data, including names, addresses, and Social Security numbers of both students and educators. By December, he had transferred this data to a server housed in Ukraine, escalating the threat profile of the attack.
Extortion demands soon followed. PowerSchool was pressured to pay a $2.85 million ransom in bitcoin to prevent the public release of the stolen information. The company, fearing widespread exposure of personal data and the resulting reputational and financial damage, complied with the payment.
Multiple school districts affected by the breach similarly received extortion messages targeting the same dataset. The breach, first detected in late December 2024, was publicly disclosed the following month.
The exploitation of contractor credentials facilitated a large-scale compromise, highlighting the urgent need for robust identity and access management (IAM) practices, regular credential audits, and zero-trust security architectures in the education sector and beyond.
Last year, Highline Public Schools was the victim of an unclaimed cyberattack that suspended all school activities. Pembina Trails School Division was also hit by Rhysida Ransomware, and the stolen data ended up for sale on a breach forum.
Related
Most Popular
Most Popular