A Massachusetts teen pleads guilty to federal charges for hacking into one of the largest U.S. education software providers and attempting to extort millions in cryptocurrency, authorities said Tuesday.
Matthew D. Lane, 19, is accused of using stolen credentials to break into the network of a major education tech company, gaining access to the personal data of over 60 million students and 10 million teachers across North America. Prosecutors say Lane and an unnamed co-conspirator demanded $2.85 million in crypto to delete the stolen information.
Though the company wasn’t directly named in the court filing, key details match a data breach disclosed earlier this year by education software giant PowerSchool. In January, PowerSchool revealed that it had been compromised as far back as August and September 2024, impacting school systems throughout the U.S. and Canada. The breach exposed sensitive data, including names, addresses, Social Security numbers, medical records, and even decades-old student grade histories.
PowerSchool Paid the Ransom—But Extortion Continues
Prosecutors say PowerSchool eventually paid the hackers to delete the stolen data, although the exact amount was not confirmed by the company. A PowerSchool spokesperson declined to dispute the $2.85 million figure cited in the complaint. In recent weeks, multiple school districts have reported new extortion threats using old samples of student data, which PowerSchool claims are linked to the original breach—not a new incident.
The plea deal, first reported by NBC News, adds further pressure on education platforms that manage highly sensitive data but often lack the cybersecurity resources to defend against sophisticated attacks. PowerSchool is used widely to track grades, attendance, and health information in K–12 schools across the continent.
Telecom Company Also Targeted
In addition to the PowerSchool breach, Lane is accused of hacking into another unnamed U.S. telecom provider as part of a separate extortion effort. Prosecutors offered few details about that incident, and neither the company’s identity nor the outcome of the hack has been disclosed publicly.
The U.S. Attorney’s Office for Massachusetts confirmed the plea agreement but declined to identify specific victims. PowerSchool spokesperson Beth Keebler said the company was aware of the filing but deferred further comment to federal authorities.
