- Get a free pair of Meta Ray-Bans when you sign up for Verizon 5G home internet
- How to mute a group text on Android when you need a break from the chat
- Cybercriminals Mimic Kling AI to Distribute Infostealer Malware
- Flaw in Google Cloud Functions Sparks Broader Security Concerns
- DriveNets extends AI networking fabric with multi-site capabilities for distributed GPU clusters
US Teen to Plead Guilty in PowerSchool Extortion Campaign
A 19-year-old college student in Massachusetts has agreed to plead guilty to a large-scale extortion scheme targeting PowerSchool, a school software provider.
In an official document published on May 20 by the US Department of Justice (DOJ), Matthew D. Lane, a student at Assumption University in Worcester and a resident of Sterling, Massachusetts, has been accused of hacking into the computer networks of two US-based companies and extorting them for ransoms.
He has agreed to plead guilty to one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft.
PowerSchool Paid the Ransom
PowerSchool is a popular education software provider in the US and Canada, acquired by private investment firm Bain Capital in October 2024.
In January 2025, PowerSchool revealed that a malicious actor gained unauthorized access to certain information through one of its community-focused customer support portals, PowerSource, on December 28, 2024.
The affected databases held personal data of over 60 million students and 10 million teachers from 6,505 school districts globally, including the US and Canada.
This data included:
- Students’ and faculty staff members’ full names
- Physical addresses
- Phone numbers
- Passwords
- Parent information
- Contact details
- Social Security numbers
- Medical data
- Grades
A few days later, it was reported that the company had paid a ransom to prevent attackers from releasing the stolen data of students and teachers.
A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: “PowerSchool confirmed that this was not a ransomware attack, but it did pay a ransom to prevent the data from being released.”
While PowerSchool first declined to confirm that it had paid to news outlets, including Infosecurity, it admitted to the payment in May after the threat actor contacted multiple school district customers in a new attempt to extort them using data from the December 2024 incident.
“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the company wrote in the update dated May 7.
Unsuccessful First Extortion Attempt Against a Telco
The DOJ public statement and the court document about Lane’s charges do not explicitly mention PowerSchool, instead referring to it as “an education software provider.”
However, news outlet BleepingComputer said it could confirm it was PowerSchool that Lane and his co-conspirators managed to gain unauthorized access to.
According to the DOJ, Lane and his associates compromised a US telecommunications company in 2022, resulting in the theft of sensitive customer data. The breach also yielded login credentials for PowerSchool, which were associated with a contractor who worked with the education company.
Between April 2024 and May 2024, Lane agreed with others to extort a $200,000 ransom payment from the telecommunications company by threatening to publicly disseminate customer data that had previously been stolen from the company’s computer network.
Following an unsuccessful extortion attempt against the telecom firm, Lane and his co-conspirators targeted PowerSchool, demanding a ransom in exchange for not releasing the stolen data.
The DOJ alleges that PowerSchool was sent a Bitcoin ransom demand worth approximately $2.85m on December 28, 2024. The demand threatened that if the payment were not made, the stolen data would be made public globally.
However, even after PowerSchool paid a ransom – the real amount of which is unknown – several school districts impacted by the breach received ransom demands, leading PowerSchool to disclose its ransom payment publicly.
Lane Faces Two to Five Years in Prison
In addition to charges linked to the PowerSchool breach, Lane also faces charges for attempting to extort the US-based telecommunications company.
If convicted, the 19-year-old faces significant penalties. The charges carry potential sentences ranging from two to five years in prison, fines of up to $250,000 and supervised release.
The exact sentence will be determined by a federal judge based on US Sentencing Guidelines and relevant laws.
Kimberly Milka, Acting Special Agent in Charge of the FBI’s Boston Division commented: “Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data.”
“This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law,” she added.
The charges outlined are allegations, and the defendant is considered innocent until proven guilty in a court of law. A plea hearing has yet to be scheduled.
