19-year-old college student Matthew D. Lane, from Worcester, Massachusetts, was sentenced to 4 years in prison for orchestrating a cyberattack on PowerSchool in December 2024 that resulted in a massive data breach.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts, with over 18,000 customers worldwide and supporting more than 60 million students.
According to court documents, U.S. District Judge Margaret R. Guzman sentenced Lane to four years in prison on Tuesday and ordered him to pay $14 million in restitution and a $25,000 fine.
Lane pleaded guilty in May 2025 to four federal charges of one count each of unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion, and aggravated identity theft.
As the U.S. Department of Justice said in May, Lane and his accomplices used credentials stolen from a subcontractor to breach the education software giant’s PowerSource customer support portal on December 19, 2024, and a maintenance tool to download school databases containing the personal information of 9.5 million teachers and 62.4 million students from 6,505 school districts worldwide.
After stealing a wide range of sensitive data belonging to students and faculty, including the full names, physical addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, and medical data of impacted students and faculty, they sent ransom demands for $2.85 million in Bitcoin on December 28.
These ransom letters claimed to be from Shiny Hunters, a notorious threat group linked to many breaches, including the 2022 AT&T data breach that impacted 109 million people, the SnowFlake data theft attacks, and a wave of Salesforce breaches.
While PowerSchool paid a ransom to prevent the data leak, it’s still unclear how much was paid. Even though they were paid, Lane and his co-conspirators still attempted to individually extort affected school districts into paying additional ransoms to prevent leaks of student data.
In March, PowerSchool also revealed that threat actors had previously breached PowerSource in August and September 2024, using the same compromised credentials, but a CrowdStrike investigation into the incidents didn’t find evidence linking the same attacker to all three breaches.
Last month, Texas Attorney General Ken Paxton sued PowerSchool for failing to protect data belonging to Texas families and school districts, and for misleading customers about its security practices.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
