Teen Pleads Guilty in PowerSchool Hack Exposing 60 Million Student Records
Wondering who was behind the massive PowerSchool data breach that compromised personal information of over 60 million students and 10 million educators? A 19-year-old Massachusetts student, Matthew D. Lane, has officially pleaded guilty to hacking one of the largest education technology companies in North America. Using stolen credentials, Lane infiltrated the network and accessed a vast archive of sensitive student and teacher data, prompting serious cybersecurity and data privacy concerns across the country.
According to federal prosecutors, Lane unlawfully obtained names, addresses, phone numbers, Social Security numbers, medical records, and even school performance data. In some instances, the stolen files included decades' worth of archived student information, highlighting the long-term risks of unsecured cloud-based education platforms. This breach, described as one of the largest school-related data compromises in U.S. history, underscores the growing threat of cyberattacks targeting educational institutions.
Though the affected company remained unnamed in court documents, the details strongly align with the high-profile breach disclosed by PowerSchool in early 2025. PowerSchool, a widely used education management system in U.S. and Canadian schools, confirmed earlier this year that a breach occurred between August and September 2024. The company’s platform handles everything from student attendance and grades to confidential health data, making it a lucrative target for cybercriminals.
Prosecutors revealed that Lane conspired with an accomplice from Illinois in a digital extortion scheme demanding $2.85 million in cryptocurrency. PowerSchool later admitted to paying a ransom to the hackers in exchange for deleting the stolen data, although the exact payout remained undisclosed. Cyber liability and ransomware protection have since become hot topics among school districts, many of which reported follow-up extortion attempts—some citing that the original data had not been fully erased.
The attack raised red flags not only about student data protection but also about broader issues like identity theft, educational compliance regulations, and the need for encrypted data storage.
Additionally, Lane has been accused of a separate cyberattack on a U.S.-based telecommunications provider. Details remain limited, and the name of that second victim company was not disclosed in court filings.
NBC News was the first outlet to report Lane’s plea agreement, which marks a significant step toward resolving one of the largest criminal investigations involving student data theft. As the case progresses, legal and cybersecurity experts alike are urging educational institutions to tighten defenses, implement zero-trust architectures, and ensure full compliance with modern data protection laws such as FERPA and the Children’s Online Privacy Protection Act (COPPA).
PowerSchool spokesperson Beth Keebler acknowledged the legal filing but directed all comments to the U.S. Attorney’s Office for Massachusetts, which has yet to release further details. Meanwhile, concerns remain over the true extent of the breach and whether all compromised data has truly been accounted for.
Educational institutions, especially those using cloud-based management systems, are now under immense pressure to invest in advanced cybersecurity frameworks, engage in regular penetration testing, and adopt multi-factor authentication. As digital learning grows, so do the risks—and this case serves as a powerful wake-up call.
Post a Comment