Matthew D. Lane, a student at Assumption University in Worcester, has agreed to plead guilty to multiple federal charges. Prosecutors say he stole and attempted to extort sensitive data affecting more than 60 million students and 10 million teachers. The breach is being called the largest known theft of student data in U.S. history.
Attack Used Stolen Contractor Credentials
According to federal investigators, Lane accessed PowerSchool’s internal network in September 2024 by using stolen login credentials from one of the company’s contractors. This unauthorized access violated the Computer Fraud and Abuse Act (CFAA), a federal law that prohibits hacking into protected systems.
Once inside, Lane stole large amounts of personally identifiable information (PII), including names, birthdates, Social Security numbers, addresses, phone numbers, medical records, and guardian details. He later moved this data to a remote server in Ukraine to avoid detection and hinder recovery efforts.
The method used, known as “credential stuffing,” allowed Lane to bypass standard security barriers. Unlike ransomware attacks that lock files, this breach focused on stealing data and using it for blackmail—a tactic known as “data heist” or “extortionware.”
Ransom Demands and Ongoing Threats
After stealing the data, Lane demanded a $2.85 million ransom in Bitcoin from PowerSchool, threatening to release the information if the company refused to pay. In a message to PowerSchool, he warned, “We are the only ones with a copy of this data now. Stop this nonsense or your executives and employees will see the same fate.”
Despite the payment, reports suggest the stolen data was not deleted. Instead, school districts affected by the breach later received their own extortion threats, indicating that the data may have been shared or sold.
Prosecutors also revealed that Lane and accomplices attempted a separate $200,000 extortion scheme against a U.S. telecom company in early 2024. These actions led to additional charges, including conspiracy to commit cyber extortion, unauthorized computer access, and aggravated identity theft, which carries a mandatory two-year prison sentence.
Wider Impact and Industry Response
PowerSchool’s platform supports over 60 million students in more than 18,000 schools across 90 countries. The scale of the breach sent shockwaves through the education sector.
A post-incident review by cybersecurity firm CrowdStrike found that PowerSchool had weak security controls, including poor credential management and a lack of multi-factor authentication for sensitive systems.
In response, the company notified all affected users and is offering two years of free identity protection and credit monitoring. PowerSchool also pledged to strengthen its cybersecurity practices and cooperate fully with law enforcement.
A Wake-Up Call for Schools
This case highlights the urgent need for better cybersecurity in education. Schools and their technology providers must adopt stronger security policies, reduce data collection, encrypt sensitive information, and train staff regularly to prevent future attacks.
As Lane awaits sentencing, the case serves as a landmark in the fight against cybercrime in schools—underscoring the importance of vigilance, responsibility, and innovation in protecting student data.
