What happened
A 19-year-old Massachusetts man has agreed to plead guilty to hacking one of the nation’s leading educational technology companies and stealing the sensitive personal information of tens of millions of schoolchildren.
According to court documents unsealed Tuesday, May 20, Matthew Lane of Worcester County signed a plea agreement in connection with the 2023 cyberattack on PowerSchool. Lane faces charges of unauthorized access to a protected computer and aggravated identity theft. As part of the agreement, he has consented to a prison sentence of up to nine years and four months, which he will not contest.
The backstory
Federal prosecutors say Matthew Lane gained unauthorized access to PowerSchool’s systems using stolen employee login credentials. By entering a valid username and password, he bypassed digital safeguards and accessed a database containing the personal information of approximately 62 million students — including names, home addresses, birthdates, and, in some cases, Social Security numbers and medical records. Though court documents refer to the breached company only as “Victim-2,” a person familiar with the matter confirmed to NBC News that the target was indeed PowerSchool.
The breach first came to light in December 2023, when PowerSchool received a $2.85 million extortion demand in bitcoin. Hackers claimed to have exfiltrated the student data and threatened to release it unless the ransom was paid. In an effort to contain the damage, the company paid for a video showing the purported deletion of the stolen files. However, cybercriminals later sent extortion emails to school districts in North Carolina and Canada, using samples of the same data as proof they had not destroyed it, raising further alarm about the breach’s long-term fallout.
Read more: PowerSchool breach exposes millions of student records despite ransom payment
What was said
According to NBC News, PowerSchool responded to the ongoing fallout from the breach in a statement issued on May 7, saying, “We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized by bad actors.” The company added, “We do not believe this is a new incident, as samples of data match the data previously stolen in December.”
Why it matters
Lane’s confession brings long-awaited accountability in a case that shook the education sector and raised urgent questions about the security of student data in the digital age. It also marks a significant step forward in identifying the individuals behind one of the most egregious data thefts involving minors in U.S. history.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What happens when a tech company that handles student data is hacked?
When an educational technology platform is breached, it can result in the exposure of sensitive student information such as names, addresses, birthdates, Social Security numbers, and even medical records. This data can then be used for identity theft, extortion, or sold on the dark web.
How do hackers typically gain access to company systems?
Hackers often use stolen login credentials, phishing schemes, or software vulnerabilities to gain unauthorized access to protected systems. Even basic password reuse by employees can create a major security risk.
What is extortion in the context of a data breach?
Extortion occurs when cybercriminals demand payment (often in cryptocurrency) in exchange for not releasing or deleting stolen data. Victims are often threatened with public exposure or further harm if they refuse to pay.
What are the potential consequences for someone convicted of hacking and data theft?
Penalties can include lengthy prison sentences, substantial fines, and being barred from using certain technologies. Charges may include unauthorized access to a computer system, identity theft, and conspiracy to commit cybercrime.
Tshedimoso Makhene
