PowerSchool Cybersecurity Breach: Hacker Admits Guilt in Student Data Extortion Case

A 19-year-old college student from Worcester, Massachusetts, has committed to a guilty plea regarding a significant cyber extortion incident involving PowerSchool, which resulted in demands for millions of dollars in exchange for not disclosing the personal information of numerous students and educators.

As confirmed by the U.S. Department of Justice (DOJ), Matthew D. Lane has pleaded guilty to four federal charges: cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.

The DOJ’s findings reveal that in 2022, Lane and his accomplices infiltrated a U.S.-based telecommunications company, where they extracted confidential customer data. During this breach, they also obtained access to PowerSchool credentials belonging to an employee of the telecom firm, which served as a contractor for PowerSchool.

Following an initial unsuccessful attempt to extort the telecommunications company, Lane and his accomplices turned their attention to PowerSchool, intending to solicit ransom payments.

A communication dated May 14, 2024, indicated Lane’s intent to sell the stolen data amassed from PowerSchool if the ransom demand was not met. The DOJ complaint, while not explicitly naming PowerSchool, suggests that it is indeed the educational institution implicated in the case.

According to the complaint, the credentials obtained from the PowerSchool contractor facilitated a breach of the company, leading to the theft of sensitive data pertaining to millions of students and faculty in December 2024.

Previously reported breaches of PowerSchool’s support platform, identified as PowerSource, allowed threat actors to exploit a maintenance tool to download extensive databases containing intimate details of approximately 62.4 million students and 9.5 million teachers across 6,505 school districts in the United States, Canada, and other locations. This data comprised various types of information, including full names, physical addresses, contact numbers, passwords, detailed parent information, Social Security numbers, medical records, and academic grades.

The DOJ disclosed that on December 28, 2024, PowerSchool received a ransom demand approximating $2.85 million in Bitcoin. The threat emphasized that failure to pay would result in the worldwide distribution of the stolen data.

While it was previously indicated that PowerSchool did concede to certain ransom demands to avert data exposure, the specifics of any financial transaction remain undisclosed. Despite this payment, the threat actors continued their actions, attempting to extort individual school districts for further ransom payments to safeguard student information.

Reports indicate that these ransom demands originated from a group known as Shiny Hunters, a notorious collective implicated in various breaches, including the significant data theft incidents associated with SnowFlake and a separate breach impacting AT&T that affected 109 million individuals.

Although numerous members linked to the SnowFlake and AT&T incidents have faced arrests in the last year, it remains possible that other affiliates executed the attacks or that copycat offenders sought to invoke a false flag.

In addition to the charges concerning the PowerSchool breach, Lane faces repercussions for attempting to extort the telecommunications company, where a $200,000 ransom was demanded along with threats against company executives.

Lane’s guilty plea encompasses all four allegations and carries a mandatory minimum sentence of two years for identity theft, alongside potential five-year terms for the remaining charges.