PowerSchool Breach: Hacker Admits to Student Data Extortion Plot

21.05.2025

 

A 19-year-old college student from Worcester, Massachusetts, has pleaded guilty to orchestrating a major cyberattack on PowerSchool that led to the theft of personal data from millions of students and educators. The attack culminated in a $2.85 million ransom demand to prevent the public release of the stolen data.

According to the U.S. Department of Justice, Matthew D. Lane admitted guilt to four federal charges, including conspiracy to commit cyber extortion, unauthorized access to protected systems, and aggravated identity theft. The breach began with an earlier cyberattack in 2022 on a telecommunications company, where Lane and co-conspirators obtained credentials that later granted them access to PowerSchool’s systems through a third-party contractor.

In December 2024, using the stolen credentials, Lane accessed PowerSchool’s internal platforms and exfiltrated sensitive data belonging to over 62 million students and nearly 10 million educators across thousands of school districts. This data included names, contact information, Social Security numbers, academic records, and other private information.

After PowerSchool received the ransom demand in Bitcoin, they reportedly paid to prevent the leak. However, the attackers continued their campaign, issuing further ransom demands to individual school districts, threatening to release student data if additional payments were not made. These follow-up extortion attempts were allegedly tied to or imitated by members of the notorious hacking group ShinyHunters.

Lane also faces charges for attempting to extort the initial telecom victim, including threats against company executives and a $200,000 ransom demand. Investigations into possible accomplices and related cyberattacks remain ongoing.

en_USEnglish