A 19-year-old Massachusetts college student has agreed to plead guilty to a series of federal charges stemming from a sophisticated cyberattack and extortion scheme targeting PowerSchool, the leading student information system provider for K-12 schools in North America.
The breach, which compromised the data of over 60 million students and 10 million teachers, is being called the largest single breach of American schoolchildren’s data to date.
The case highlights the growing threat of cyber extortion and the critical need for robust cybersecurity in the education sector.
.png
)
Student Accused of Stealing PII via Compromised Credentials
Federal prosecutors allege that Matthew D. Lane, a student at Assumption University in Worcester, Massachusetts, orchestrated the attack by exploiting stolen credentials belonging to a PowerSchool contractor.
Using these credentials, Lane gained unauthorized access to PowerSchool’s protected computer network in September 2024, violating the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030.
The CFAA prohibits unauthorized access to protected computers, including those used by major service providers like PowerSchool.
Once inside the network, Lane exfiltrated massive quantities of personally identifiable information (PII) from PowerSchool’s Student Information System (SIS).
The stolen data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, and parent or guardian details.
Lane then transferred this sensitive information to a server he leased in Ukraine, thereby complicating law enforcement’s ability to recover the data and trace its movement.
The technical vector for the breach was a compromised login credential, which allowed Lane to bypass traditional perimeter defenses and access the SIS database directly.
This method, known as credential stuffing or credential compromise, is increasingly common in modern cyberattacks, particularly against cloud-based SaaS providers.
Unlike traditional ransomware attacks, Lane’s operation did not encrypt files but instead focused on data exfiltration and extortion, a tactic known as “extortionware” or “data heist”.
Extortion Demands and Legal Implications
After securing the stolen data, Lane issued a ransom demand to PowerSchool, threatening to leak the PII of millions of students and teachers worldwide unless the company paid approximately $2.85 million in Bitcoin.
The extortion message warned, “We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked.”
Despite the payment, subsequent reports indicate that the stolen data was not fully deleted as promised by the attackers.
Instead, individual school districts whose data was stored in PowerSchool’s databases began receiving their own extortion demands, suggesting that the threat actors had retained or further distributed the data.
This development underscores the inherent risks in negotiating with cybercriminals and the persistent threat posed by stolen data, even after ransom payments.
Lane’s activities extended beyond PowerSchool. Prosecutors also allege that, between April and May 2024, Lane and unnamed co-conspirators attempted to extort $200,000 from a U.S. telecommunications company by threatening to release stolen customer data.
These acts resulted in multiple federal charges, including cyber extortion conspiracy, unauthorized access to protected computers, and aggravated identity theft under 18 U.S.C. § 1028A, which carries a mandatory two-year prison sentence consecutive to any other penalties.
PowerSchool’s breach sent shockwaves throughout the education sector, as the company’s cloud-based SIS platform is used by more than 18,000 educational institutions across 90 countries, supporting over 60 million students.
A post-breach audit by cybersecurity firm CrowdStrike revealed that the company had failed to implement some basic security controls, such as robust credential management and multi-factor authentication for critical systems.
In response, PowerSchool notified all affected customers and offered two years of complimentary identity protection and credit monitoring services to students and faculty whose information was exposed.
The company has pledged to continue investing in its cybersecurity program and to work closely with law enforcement to mitigate the impact of the breach.
For the education sector, the incident is a stark reminder of the unique risks associated with storing large volumes of sensitive data on minors.
School districts and their technology partners must prioritize data minimization, encryption, and continuous security training to reduce the attack surface and protect vulnerable populations from cyber threats.
As the court prepares to sentence Lane, the case stands as a landmark in the ongoing battle against cyber extortion and identity theft, reinforcing the need for vigilance, accountability, and innovation in cybersecurity.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
