19-Year-Old Hacker Admits Guilt in Major Cyberattack on PowerSchool

Massachusetts college student stands accused of orchestrating a sweeping cyberattack on PowerSchool, a widely used educational software provider, resulting in the theft of confidential data from millions of students and teachers.

The accused, Matthew D. Lane, age 19, has agreed to plead guilty to federal charges encompassing cyber extortion, unauthorized access to protected computers, and aggravated identity theft.

The high-profile case has sent shockwaves through the education and technology sectors, underlining the growing risks of cybercrime in systems entrusted with sensitive information.

Federal prosecutors allege that from April to May 2024, Lane conspired with others to hack into the computer networks of two prominent U.S. companies, including PowerSchool.

Using stolen login credentials, Lane gained unauthorized access to a cloud storage provider serving school systems across the United States and Canada.

He allegedly transferred a trove of personally identifiable information (PII) — including names, social security numbers, dates of birth, medical details, and even parent and guardian data — to a server he controlled in Ukraine.

The scope of the breach was staggering, with Lane threatening to publish the confidential records of over 60 million students and 10 million teachers unless he received a ransom payment in Bitcoin amounting to nearly $2.85 million.

In separate extortion attempts, Lane and his associates similarly targeted a telecommunications provider, demanding a ransom of $200,000, and issued explicit threats to escalate the exposure of internal records if their demands were not met.

Prosecutors described Lane’s communications as coercive, quoting a message in which he warned, “We are the only ones with a copy of this data now. Stop this nonsense… Make the correct decision and pay the ransom.”

Law and Sentencing Guidelines

The charges brought against Lane — including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft — each carry significant legal consequences.

Each computer fraud-related charge could result in up to five years in prison, supervised release, and substantial financial penalties, while the aggravated identity theft charge mandates a consecutive two-year prison term.

Sentencing will ultimately be determined by federal guidelines and rests with the presiding district judge.

United States Attorney Leah B. Foley emphasized the wider impact of such cybercrimes, noting that these attacks impose real financial costs, violate the trust of affected families, and “instill fear in parents that their kids’ information had been leaked into the hands of criminals.”

The FBI, which led the investigation, reiterated its commitment to pursuing cyber offenders, regardless of age or motivation, signaling the government’s resolve in confronting digital threats against critical infrastructure and private data.

Community Response and Investigation

The PowerSchool breach has raised urgent questions for students, educators, and families whose information may have been compromised.

According to the Report, School districts are advising those concerned about potential exposure of personal data to contact their local administrators for guidance.

As the case moves toward a plea hearing, authorities are working to support the victims and enhance cybersecurity measures across educational platforms.

Lane remains presumed innocent until the court formally accepts his guilty plea and imposes sentence.

The ongoing investigation, assisted by the Assumption University Police Department and prosecuted by the Securities, Financial & Cyber Fraud Unit, reflects intensified scrutiny of cyberthreats targeting youth data and the imperative of fortified digital defenses within the education sector.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!