Prosecutors seek 7-year prison term for ‘sophisticated’ PowerSchool hacker

Prosecutors are seeking a seven-year prison sentence for the 19-year-old Massachusetts man who pleaded guilty to hacking into an education technology company’s databases and stealing data belonging to millions of students and teachers. 

The sentencing recommendation for Matthew Lane is based on his history of allegedly hacking at least seven other victims, including foreign government entities, since 2021, according to a sentencing memorandum filed Tuesday. He accessed databases belonging to the company PowerSchool that had information on more than 60 million students and nine million teachers. 

Prosecutors alleged Lane acted out of greed and knew that what he was doing was wrong, and they cited his behavior despite having “loving and nurturing” parents as further evidence that Lane should spend years behind bars.

Lane, who is scheduled to be sentenced on October 14, allegedly told PowerSchool that he would leak the Social Security numbers of children as young as five and ruin the firm financially if it did not pay a ransom of 30 bitcoin (about $2.85 million at the time), according to the memorandum.

“Final note, we fully intend to destroy your company and bankrupt it to the point of no absolute return if the ransom is not paid,” Lane told PowerSchool, according to court documents.

The incident has cost the ed tech giant more than $14 million due to the identity theft monitoring it has offered victims, in addition to a nearly $3 million ransom, according to the memorandum. Lane has paid back about $160,000 of the ransom, prosecutors said.

Sensitive data, including students’ Social Security numbers, special education status, medical conditions and parental restraining orders, were exposed in the hack, which PowerSchool made public in January.

Prosecutors said Lane used “sophisticated” tactics to cover his tracks, including by using virtual private networks, eSIMs, anonymized email addresses and phone numbers, stolen credentials and foreign servers.

A freshman at Assumption College in Massachusetts, Lane allegedly used the ransom money to buy designer clothes, diamond jewelry, luxurious rental apartments and fast food deliveries, prosecutors said. The memorandum notes that he expected his college internship to cover his limited student debt and that he planned to work for Google, evidence that he could have earned legitimate money using his cyber skills.

 Lane’s attorney did not respond to requests for comment. 

A spokesperson for PowerSchool said the company is “committed to protecting student data and ensuring the safety of our systems.”

The proposed seven-year sentence also incorporates Lane’s guilty plea for hacking an unnamed wireless telecommunications company.

In May 2024, prosecutors say, Lane hacked the firm and demanded it pay a $200,000 ransom. At the time, the sentencing memorandum says, Lane told a co-conspirator, “we need to hack another shitty company that[’]ll pay. [W]e need SSNs [social security numbers].” 

Three months later, in August 2024, Lane allegedly broke into PowerSchool’s network. 

By December 2024, Lane had leased a Ukraine-based server onto which he allegedly exfiltrated PowerSchool data, including Social Security numbers. 

Lane told a girlfriend he would be working late the same night that the server was leased, saying, “I just need to actually make $ for a second,” the sentencing memorandum says.

Prosecutors say Lane knew that what he was doing was wrong, pointing to the fact that when he hacked the wireless telecommunications company he told a co-conspirator they should use burner phones, hide their IP addresses, transfer cryptocurrency proceeds to anonymous virtual cards and wear masks and gloves when using ATMs tied to the cards.

Lane told his co-conspirator that if they took those precautions law enforcement “will literally find nothing,” according to the sentencing memorandum.

Last month, Texas sued PowerSchool, saying the company broke state laws relating to deceptive trade practices and identity theft protection, including by misleading consumers into believing its shoddy security practices were “state-of-the-art.”

PowerSchool has acknowledged the hack was enabled by the fact that it did not use multifactor authentication.