PowerSchool Hacker Sentenced to Four Years for Exposing Millions of Student Records

Key Takeaways

• Matthew Lane was sentenced to four years in prison.
• Ordered to pay over $14 million in restitution and a $25,000 fine.
• The breach exposed data of nearly 70 million students and teachers.
• Lane pleaded guilty to multiple federal charges, including cyber extortion.

The Massive Data Breach

Matthew Lane gained unauthorized access to PowerSchool's network by using credentials stolen from a contractor. This allowed him to exfiltrate sensitive data, including names, addresses, Social Security numbers, and medical information, belonging to an estimated 60 million students and 10 million teachers. The breach, which occurred in September 2024, was later revealed to be the most significant exposure of American schoolchildren's data on record.

Extortion and Financial Impact

Following the data theft, Lane demanded a ransom of nearly $2.9 million in Bitcoin from PowerSchool, threatening to release the stolen information worldwide. Although PowerSchool paid a ransom, Lane and his associates continued to extort individual school districts. The cyberattack and subsequent ransom payment resulted in over $14 million in financial losses for PowerSchool. Lane also targeted a U.S. telecommunications company, extorting them for $200,000.

Sentencing and Legal Proceedings

Federal prosecutors sought an eight-year sentence for Lane, citing his history of cybercriminal activity dating back to 2021 and concerns that he posed an ongoing threat. However, U.S. District Judge Margaret Guzman sentenced him to four years in prison, followed by three years of supervised release. Lane expressed remorse in court, stating he was "thankful I got caught" and acknowledging the harm he caused. He was ordered to pay $14.1 million in restitution and a $25,000 fine. Lane is required to surrender to the Bureau of Prisons by December 1.

Lessons Learned for Schools

The PowerSchool breach has highlighted the vulnerabilities in the K-12 education sector and the reliance on third-party vendors. Experts emphasize that schools must re-evaluate their data retention policies, minimize the collection of sensitive information, and ensure robust security measures are in place not only within their own systems but also with their vendors. The incident has also led to increased scrutiny of PowerSchool, which faces multiple lawsuits alleging negligence and failure to provide timely notice to affected users.

Sources

• PowerSchool hacker sentenced to 4 years in prison, CyberScoop.
• PowerSchool Hacker ‘Thankful I Got Caught,’ Sentenced to 4 Years in Prison – The 74, The 74.
• PowerSchool hacker got four years in prison, Security Affairs.
• PowerSchool hacker sentenced. What can schools take away from the incident?, K-12 Dive.
• PowerSchool hacker gets sentenced to four years in prison, BleepingComputer.