A Massachusetts man who broke into the network of educational software provider PowerSchool to steal data belonging to millions of students and teachers and extort money from the company was sentenced Tuesday to four years in prison.
Matthew Lane, 20, was sentenced by U.S. District Judge Margaret Guzman in Worcester, Massachusetts, after he pleaded guilty in June to charges related to the hacking of two companies, including California-based PowerSchool.
The PowerSchool breach in December 2024 exposed sensitive data of more than 2.7 million current and former Canadian students, plus millions more in the U.S. Depending on the type of information school boards kept, data including names, dates of birth, home addresses, emergency contact information, and even social security numbers was compromised.
School systems across Canada – in alberta, ontario, manitoba, Newfoundland and Labrador, Nova Scotia, northwest territories, Prince Edward Island and Saskatchewan: Primarily uses web-based system to manage personal, and sometimes medical, information, grades and other details of students. Some use it as a portal to communicate with families.
Guzman also ordered Lane to pay more than $14 million in restitution and a $25,000 fine, according to U.S. Attorney Leah Foley’s office.
In a statement, a PowerSchool spokesperson said it “appreciates the efforts of prosecutors and authorities who brought this individual to justice.” Lane’s attorney did not respond to a request for comment.
Some parents learned Wednesday that their children’s personal information, stolen in the PowerSchool data breach last December, was never deleted even though the company paid a ransom. Since hackers still have millions of student records, experts recommend caution.
Lane, who had been a student at Assumption University in Worcester when he was first charged, pleaded guilty in June to engaging in cyber extortion and aggravated identity theft and accessing protected computers without authorization.
According to prosecutors, in mid-2024, Lane took advantage of a previous data breach at a telecommunications company and, claiming to be a member of a notorious hacking group, demanded a $200,000 ransom to prevent the company’s data from being leaked. Using stolen login credentials, Lane gained access to PowerSchool’s network, allowing him to steal personal data from students and teachers, prosecutors said.
Days later, PowerSchool received a ransom demand that threatened to leak the names, addresses, Social Security numbers and other sensitive data belonging to millions of students and teachers unless it paid $2.85 million in bitcoin, according to prosecutors.
That ransom demand came from the same group of hackers that Lane claimed to represent when he extorted the telecommunications company, prosecutors said. PowerSchool has said it decided to pay a ransom for the hacker to delete the data and prevent the information from becoming public.
Subsequently, several school boards in Canada received ransom demands using the data accessed in the PowerSchool breach.
