Teen Hacker Behind 60M-Record PowerSchool Breach Finally Caught, Pleads Guilty
Worcester, Mass.-May 21 2025
Federal prosecutors say a 19-year-old Massachusetts college student turned a single stolen contractor password into the largest known breach of children’s data.
According to an 11-page information filed Tuesday in U.S. District Court, Matthew D. Lane, a sophomore at Assumption University, quietly looted cloud-software giant PowerSchool of records on roughly 60 million K-12 students and 10 million educators, then demanded 30 BTC (≈ $2.85 million) to keep the files private.
From Telecom Shakedown to Classroom Heist
Lane’s playbook began two years earlier when he and an unnamed Illinois accomplice hacked a U.S. telecommunications provider. The pair squeezed the telco for $200 000 in hush money-and, crucially, walked away with a VPN token for a contractor who also serviced PowerSchool. Armed with that credential, Lane slipped into PowerSchool’s “PowerSource” support portal on September 4 2024, copied database backups for nine straight days, and staged the haul on a server he’d rented in Ukraine-details spelled out in the federal filing’s time-stamped Signal chats and bitcoin wallet addresses.
On December 28 2024 a ransom email landed at PowerSchool threatening a “world-wide release” of 60 million student records unless the company wired 30 BTC to a specified wallet. PowerSchool paid within days, later telling regulators it believed payment was “the best option to protect students.” Yet paying only bought time: by early May 2025, districts from Charlotte to Toronto were receiving fresh black-mail notes citing the same stolen data, a wave first reported by EdNC.
What Was Stolen-and Why It Matters
PowerSchool’s own incident notice concedes the haul included:
- Student names, addresses and dates of birth
- Parent/guardian contact details and hashed passwords
- Limited medical alerts and discipline notes
- Unencrypted Social Security numbers for some districts-records going back four decades
“Unlike a credit-card number, a child’s SSN can’t be re-issued,” says Eva Velasquez, president of the Identity Theft Resource Center. “That makes this breach a lifelong risk vector.”
Several North Carolina districts disabled grade portals for weeks, delaying report cards while every family reset credentials and fielded mailed breach notices. Large systems such as Wake County say direct response costs have already topped seven figures-numbers echoed in early class-action complaints by Hagens Berman and Seeger Weiss, which accuse PowerSchool of lax network segmentation and weak encryption.
A Legal Shortcut Signals Cooperation
Rather than seek a grand-jury indictment, the Justice Department used an information, a maneuver usually reserved for defendants who intend to plead guilty and cooperate. Lane faces four felony counts-conspiracy, cyber-extortion, unauthorized access, and aggravated identity theft. The last adds a mandatory two-year consecutive term; sentencing guidelines cap his exposure at seven years, but cooperation could trim that sharply. A plea hearing is expected this summer before Judge Margaret Guzman in Worcester.
Supply-Chain Blind Spot
The case underscores how contractor credentials can become the soft underbelly of even well-funded vendors. “When you outsource IT, you inherit every password hygiene problem your suppliers have,” notes Brett Callow, a threat analyst with Emsisoft. Many districts assumed PowerSchool’s cloud was segmented from third-party access; the breach shows otherwise. K-12 procurement officers now routinely demand:
- Multi-factor authentication
- Least-privilege access reviews
- Cyber-liability insurance
A Costly Lesson in Cybersecurity
The fallout from the PowerSchool breach continues to ripple through the education sector, serving as a sobering example of the vulnerabilities inherent in interconnected digital systems. While Lane's expected guilty plea may bring a measure of legal closure, the compromised data of millions of children presents an ongoing, generational challenge. For school districts and ed-tech vendors alike, the incident has become a costly lesson in the critical importance of third-party risk management and the far-reaching consequences of a single compromised credential. As the summer plea hearing approaches, all eyes will be on Worcester, not just for the outcome of Lane's case, but for the broader implications it holds for data security in an increasingly digital world.
