Dive Brief:
- A Massachusetts college student agreed to plead guilty on Tuesday for allegedly hacking and extorting an unnamed ed tech company for $2.85 million in Bitcoin in December 2024, according to the U.S. Attorney’s Office for the District of Massachusetts. A person with direct knowledge confirmed to K-12 Dive that student information system software provider PowerSchool is the company in question.
- The 19-year-old student, Matthew Lane, is accused of gaining unauthorized access to the cloud-based software provider’s network in September 2024 by using an employee’s credentials. Months after obtaining PowerSchool’s student and teacher data, Lane leased a computer server from a cloud provider in Ukraine, where he then transferred the stolen data.
- Lane, a student at Assumption University in Worcester, Mass., could face up to 17 years in prison and a fine up to $250,000 or “twice the gross gain or loss,” whichever is higher. Lane is charged with cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft.
Dive Insight:
The arrest of an alleged threat actor is a rare move in terms of identifying and holding perpetrators accountable for ransomware attacks against the increasingly vulnerable education sector.
“Cyber extortion is a serious attack on our economy and on all of us. As alleged, this defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals — all to put a notch in his hacking belt,” U.S. Attorney Leah Foley said in a Tuesday statement. “The alleged ransoms that this defendant and others like him demand hurt victim companies and their innocent customers whose data the companies are entrusted to hold.”
Still, it’s unclear what will happen with the leaked sensitive data of over 60 million students and 10 million teachers. The breach has resulted in over 100 districts suing PowerSchool and several districts being contacted with extortion threats. The court documents also suggest that PowerSchool didn’t know about the data breach for over 100 days until Lane extorted the company on Dec. 28, 2024, when PowerSchool said it first learned of the incident.
Foley also wrote in a court filing that Lane had access to the company’s student and teacher data including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords. Lane allegedly told the company that if it didn’t pay the nearly $2.85 million ransom, he would “leak” the stolen information “worldwide.”
The U.S. Attorney’s Office in Massachusetts advises students and teachers who suspect their information was compromised to contact their local school district.
The court documents generally confirm what was already known about the PowerSchool data breach but still tell a “pretty astonishing story,” said Michael Klein, a former senior advisor for cybersecurity at the U.S. Department of Education and now the senior director for preparedness and response at the Institute for Security and Technology.
“PowerSchool should have had 106 days from when the hacker first accessed 1 school district’s data in September 2024 to when he stole 1000s of districts’ data in late December, but they did not detect and therefore did not stop the incident,” Klein wrote in a statement to K-12 Dive. That’s “important, because the states and school districts must entrust vendors like PowerSchool with their data, which lives on the vendor’s platform, there was literally nothing districts could have done to prevent the data breach.”
Earlier this month, PowerSchool confirmed that it paid a ransom to threat actors as a result of last year’s data breach, but the company did not disclose the amount. The FBI advises that victims of ransomware attacks do not pay threat actors, as it can often embolden them to commit additional cybercrimes, and there is no guarantee of the stolen data being returned or deleted.
Lane is also accused of hacking and extorting a telecommunications company for $200,000 between April and May 2024, several months before he allegedly gained unauthorized access into PowerSchool’s system.
The charges against and plea agreement with Lane come at a time when a majority of districts report facing a cybersecurity incident in some form. In fact, 82% of K-12 schools reported experiencing a cyber incident between July 2023 and December 2024, according to the nonprofit Center for Internet Security. The most common of those threats include ransomware attacks, phishing, social engineering and data breaches.
It takes the education sector an average of 4.8 months to report a ransomware attack, according to a recent Comparitech analysis. But education companies — separate from schools, colleges and universities — had even higher data breach reporting times at 6.3 months on average.
