BleepingComputer: PowerSchool hacker pleads guilty to student data extortion scheme

GaryPageau ,
Getting your Trinity Audio player ready...

In a case that has implications for the growing need for high security in the education market, BleepingComputer reports a19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. The Department of Justice says PowerSchool received a ransom demand for approximately $2.85 million in Bitcoin on Dec. 28, 2024.

According to the U.S. Department of Justice, Matthew D. Lane pleaded guilty to four federal charges of one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.

The DOJ and court documents state that Lane and his conspirators breached a US-based telecommunications company in 2022, where they stole confidential customer information. After attempting to extort the telecom firm, the DOJ says they conducted an attack on an education company that would pay a ransom.

“On or about May 14, 2024, LANE messaged CC-1 that if Victim 1 did not pay the ransom, LANE and CC-1 could sell the Stolen Victim 1 Data. LANE further suggested, ‘we need to hack another . . . company that[‘]ll pay’,” reads the DOJ complaint.

While the complaint does not explicitly mention PowerSchool, sources told BleepingComputer that they are the education company referred to by the DOJ.

The threat actor used compromised credentials belonging to a PowerSchool contractor to breach the company and steal data for millions of students and faculty in December 2024.

As previously reported by BleepingComputerthreat actors breached PowerSchool’s support platform, PowerSource, and used a maintenance tool to download the school’s databases. These databases included the personal information of 62.4 million students and 9.5 million teachers from 6,505 school districts in the US, Canada, and other countries.