College student to plead guilty to PowerSchool hack

A Massachusetts college student will plead guilty to charges relating to his alleged hack and extortion of education tech giant PowerSchool, according to prosecutors.

The 19-year-old Assumption College student, Matthew Lane, also was charged Tuesday with hacking and demanding a ransom payment from an unnamed telecommunications company, Massachusetts federal prosecutors said.

While a court filing describing the charges did not name PowerSchool, which it refers to as Victim 2, it described the ransom demand conveyed to Victim 2 as having occurred on December 28, the same day PowerSchool has said it received the demand.

A source with direct knowledge of the case confirmed that PowerSchool is the company which the charging documents refer to as Victim 2.

Lane allegedly obtained a PowerSchool contractor’s credentials in September, and at that point accessed company data belonging to one school district customer, prosecutors say. He then allegedly leased a computer server and moved data for tens of millions of others to it in December. PowerSchool stored data belonging to more than 60 million students and 9 million teachers, according to disclosures.

Nine days after leasing the server storing the stolen data, prosecutors say Lane threatened to leak reams of customers’ sensitive personal data if PowerSchool did not send him about 30 bitcoin — worth approximately $2.85 million at the time.

The demand threatened to “leak… worldwide” the names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords and other data, according to the Department of Justice.

“This defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt,” U.S. Attorney Leah Foley said in a statement.

Lane’s lawyer did not immediately respond to a request for comment.

PowerSchool's software is used by more than 18,000 schools and school districts worldwide. The California-based company, which has said it paid the ransom demand, disclosed the breach to customers on January 7.

In recent days, at least four individual school districts have received extortion demands threatening to release data obtained in the same PowerSchool breach if they do not pay ransoms, according to the source with direct knowledge of the case.

Under the plea deal, Lane will go to prison for at least two years on a variety of charges, including one count each of aggravated identity theft, unauthorized access to protected computers without authorization, cyber extortion conspiracy and cyber extortion, prosecutors say. 

The plea agreement also requires Lane to forfeit money he received from the ransom payments and pay additional penalties.

A spokesperson for PowerSchool said that while it is unable to comment on active litigation, the company is “focused on working through this matter directly with our customers.”

“We care deeply about the students, teachers and families we serve and are wholeheartedly committed to serving them.”