A man from Massachusetts has been sentenced to four years in prison for hacking into the network of education software provider PowerSchool to steal data from millions of students and teachers and then extort the company. Matthew Lane, 20, was sentenced by U.S. District Judge Margaret Guzman in Worcester, Massachusetts, after pleading guilty in June to charges related to hacking two companies, including PowerSchool.
The breach at PowerSchool in December 2024 exposed sensitive data of over 2.7 million current and former Canadian students, as well as millions more in the U.S. The compromised data included names, birth dates, addresses, emergency contact information, and even social insurance numbers, depending on the information stored by school boards.
Various school systems across Canada, including Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island, and Saskatchewan, primarily utilize the web-based PowerSchool system to manage students’ personal and sometimes medical information, grades, and other details, with some using it as a communication portal with families.
In addition to the prison sentence, Lane was ordered by Judge Guzman to pay over $14 million in restitution and a $25,000 fine. PowerSchool expressed appreciation for the efforts of law enforcement and prosecutors in bringing Lane to justice, while Lane’s attorney did not provide a comment.
Lane, a former student at Assumption University in Worcester, pleaded guilty to cyber extortion, aggravated identity theft, and unauthorized access to protected computers in June. Prosecutors stated that Lane exploited a previous data breach at a telecommunications company in mid-2024 and, posing as a member of a hacking group, demanded a $200,000 ransom to prevent leaking the company’s data. By using stolen login credentials, Lane accessed PowerSchool’s network, enabling him to steal personal data of students and teachers.
Following the breach, PowerSchool received a ransom demand threatening to expose sensitive data unless a $2.85 million bitcoin ransom was paid. The same hacking group Lane claimed to represent during the extortion of the telecommunications company issued this ransom demand. PowerSchool decided to pay the ransom to prevent the data from being shared publicly. Subsequently, multiple school boards in Canada received ransom demands linked to the data accessed during the PowerSchool breach.