A 19-year-old student at Assumption University in Worcester, Massachusetts, has agreed to plead guilty to a high-profile cyber extortion campaign that targeted education software giant PowerSchool and a U.S. telecommunications provider, compromising the personal data of more than 70 million individuals.
The U.S. Department of Justice announced that Matthew D. Lane will admit to cyber extortion, unauthorized access to protected computers, aggravated identity theft, and related federal offenses.
Lane’s guilty plea brings a new chapter to the PowerSchool breach saga, which began in late 2024 and has since evolved into one of the largest known data security incidents in the K–12 education sector. PowerSchool, a cloud-based education technology firm that provides Student Information System (SIS) services to over 60 million students and thousands of schools in the U.S. and Canada, was infiltrated using stolen credentials belonging to a third-party contractor. Lane accessed its internal systems in September 2024 and exfiltrated vast amounts of sensitive student and teacher data, including Social Security numbers, dates of birth, medical records, contact information, and passwords.
Court documents and Lane’s plea agreement confirm that he transferred this trove to a rented server in Ukraine. In December, he issued a $2.85 million ransom demand in Bitcoin, threatening to leak the data “worldwide” if payment wasn’t made. PowerSchool, which previously disclosed that it had paid a ransom in an attempt to contain the breach, later confirmed that attackers continued to extort individual school districts across North America using the same stolen records. The Toronto District School Board and districts in North Carolina were among those targeted in a renewed wave of threats in May 2025.
Parallel to the PowerSchool intrusion, Lane also conspired with at least one co-conspirator based in Illinois to extort $200,000 from a U.S. telecommunications company. Between April and May 2024, the group threatened to leak previously stolen customer data unless paid. Lane used anonymous emails and encrypted messaging apps like Signal to deliver ultimatums, even threatening the company’s executives in increasingly aggressive language. When the company expressed doubts over the attackers’ claims, Lane insisted they were the sole holders of the stolen data and implied that a prior rogue member had been “handled.”
According to the plea agreement, Lane’s actions caused over $9.5 million in losses. The U.S. Attorney's Office is recommending a sentence of 111 months — more than nine years — which includes a mandatory two-year term for aggravated identity theft. Lane has also agreed to forfeit $160,981 and a set of Monero cryptocurrency wallet addresses associated with the crime. Prosecutors cited Lane’s use of sophisticated means, including anonymizing infrastructure and his technical knowledge, as aggravating factors in sentencing.
PowerSchool’s December 2024 breach was traced to unauthorized access via the PowerSource support portal. Though the company initially reported no malware involvement and claimed the breach was limited to SIS environments, the incident’s reach proved vast, with exfiltrated data dating back more than a decade and affecting some of North America’s largest school districts. While PowerSchool offered credit and identity monitoring services to affected individuals, frustration mounted due to the company's lack of transparency and ongoing extortion attempts using data it had hoped was deleted.
Leave a Reply