US Student to Plead Guilty in Massive Student Data Hack

Student Pleads Guilty to Hacking Education Tech Firm

A student residing in Massachusetts has reached an agreement to enter a guilty plea concerning federal charges linked to hacking and extortion. The target was a major U.S. educational technology company, as confirmed by prosecutors on Tuesday.

Data Breach Details

Matthew D. Lane, 19 years of age, stands accused of utilizing compromised login details to infiltrate the network of an unnamed software provider. This company provides services to educational institutions throughout North America and globally.

The alleged theft involved the personal data of over 60 million students and 10 million educators. This included sensitive information such as names, addresses, phone numbers, Social Security numbers, medical records, and academic performance data.

In certain instances, the data compromised spanned decades of historical student records. The scope of the breach was substantial and potentially far-reaching.

Connection to PowerSchool Breach

Although the company remains unnamed, details provided by federal prosecutors align with the data breach experienced by PowerSchool. PowerSchool, an education software developer, disclosed in January that a hacking incident occurred between August and September 2024.

The breach primarily impacted schools in the United States and Canada. These institutions rely on PowerSchool’s software for managing student grades, attendance records, and personal health information.

Extortion Scheme

According to prosecutors, Lane collaborated with an accomplice located in Illinois. Together, they allegedly attempted to extort the education software company for approximately $2.85 million in cryptocurrency.

PowerSchool previously acknowledged to TechCrunch that a ransom was paid to the hackers to facilitate data deletion. However, the exact amount remained undisclosed.

Subsequently, several school districts reported receiving further extortion attempts. These attempts claimed the stolen student data had not been fully eradicated. PowerSchool stated these were not new incidents, as the data samples matched those stolen in December.

Ongoing Investigation

Lane is also accused of hacking and extorting a separate entity – a U.S. telecommunications provider. The identity of this company has not been revealed in the plea agreement.

NBC News initially reported on Lane’s agreement to plead guilty.

Beth Keebler, a spokesperson for PowerSchool, confirmed awareness of the filing. She directed further inquiries to the U.S. Attorney’s Office for Massachusetts.

The U.S. Attorney’s Office declined to identify the victims, as communicated to TechCrunch by an anonymous spokesperson. Keebler did not refute the reported ransom amount.

Sean Smith, Lane’s attorney, has not yet responded to requests for comment.

This article has been updated to include a response from the U.S. Attorney’s Office for Massachusetts.