A 19-year-old Massachusetts man has agreed to plead guilty to hacking into PowerSchool, one of the top education technology companies in the United States, and stealing tens of millions of students’ personal information for profit. Matthew Lane of Worcester County signed a plea agreement related to charges connected to the major hack last year, according to court documents published Tuesday.
The education company, referred to as ‘Victim-2’ in the court documents, was identified by a person familiar with the matter as PowerSchool. The breach is believed to be the largest hack of American children’s sensitive data to date. Lane admitted to obtaining information from a protected computer and aggravated identity theft, agreeing not to challenge a prison sentence shorter than nine years and four months.
The Breach
Lane gained access to PowerSchool’s system by using a stolen employee username and password combination, according to the complaint. This method was previously reported by NBC News in a private third-party assessment of the incident. In December, PowerSchool discovered that someone had broken into a customer database and downloaded the personal information of 62 million children, including names, addresses, birthdays, and in some cases, Social Security numbers and medical information.
Aftermath
The hackers demanded about $2.85 million in bitcoin, which PowerSchool paid for a video showing the deletion of their only copy of the data. However, cybercriminals have since sent extortion emails to schools in Canada and North Carolina, proving they still possess the stolen data. ‘We do not believe this is a new incident, as samples of data match the data previously stolen in December,’ PowerSchool said in a statement on May 7.
Investigation and Implications
The complaint suggests that Lane was responsible for hacking into PowerSchool, although it doesn’t clarify whether he was involved in the extortion efforts. The incident highlights the growing vulnerability of student information as it becomes increasingly digitized, particularly with the rise of education technology companies during the Covid pandemic. Cybersecurity experts have warned that this trend makes student data a prime target for criminal hackers and identity thieves.
