Cybercrime,
Data Breach Notification,
Data Security
Teenager Charged With Stealing K-12 Student and Faculty Data, $3 Million Extortion
A college student has been charged with extorting PowerSchool, a platform for K-12 student information systems, after allegedly stealing sensitive data from millions of students and faculty members.
See Also: Top 10 Technical Predictions for 2025
Matthew D. Lane, a 19-year-old from Massachusetts, faces multiple charges including hacking, extortion, and identity theft. He plans to enter a guilty plea as part of a formal agreement that was revealed by U.S. prosecutors.
Lane is currently enrolled at Assumption University in Worcester, Massachusetts. If convicted, he could face a maximum of 17 years in prison, though a court date for his plea change has not yet been scheduled. His attorney has not yet issued a statement regarding the charges.
The allegations suggest attacks on two organizations, including a telecommunications company and PowerSchool, though specific details about the telecommunications firm have not been disclosed. However, evidence points directly to the breach involving PowerSchool, following a significant cyber incident affecting the platform in late 2024.
The breach impacted institutions across the U.S., Canada, and Bermuda, with PowerSchool reportedly storing data for around 60 million K-12 students and teachers. Initial reports indicate that up to 62.4 million student records may have been compromised, though this figure remains unverified.
Lane allegedly demanded a ransom of 30 bitcoins—approximately $2.85 million at the time—from PowerSchool, intending to leverage the stolen data to prevent its public release. U.S. Attorney Leah B. Foley described the incident as not only financially burdensome for its victims but also deeply concerning for the privacy of those impacted.
As the breach unfolded, other parties began utilizing the stolen information to extort schools, prompting PowerSchool to admit that it paid an undisclosed amount post-attack in an effort to thwart further data leaks.
Technical Context of the Attack
The breach highlights potential tactics outlined by the MITRE ATT&CK framework. Initial access may have been gained through stolen credentials of a contractor affiliated with PowerSchool, marking a classic case of credential theft contributing to an organization’s vulnerability.
Following this initial breach, the perpetration of extortion unfolds as tactics emphasizing privilege escalation and communication through encrypted channels like Signal can further enhance anonymity. This suggests a methodical approach to conducting cybercriminal activities, underscoring the systemic issues organizations face regarding cybersecurity.
For instance, Lane is also facing charges related to extorting a U.S.-based telecommunications company, further showcasing the widespread nature of these tactics and the ease with which criminal actors can manipulate sensitive customer information. In discussions with this telecommunications firm, Lane’s calls for ransom were punctuated by overt threats, demonstrating a concerning escalation in cyber extortion methodologies.
Lane’s plea agreement obliges him to admit guilt concerning numerous cyber-related charges, which collectively could lead to a substantial prison sentence, alongside forfeiting digital assets linked to the crimes. As the legal proceedings continue, this case serves as a stark reminder of the significant risks posed by cybercriminals in today’s digital landscape.
