Matthew D. Lane, a 19-year-old college student from Worcester, Massachusetts, was sentenced to 4 years in prison in December 2024 for masterminding a cyberattack on PowerSchool that resulted in a massive data breach.
PowerSchool is a provider of cloud-based software solutions for K-12 schools and districts, with more than 18,000 customers worldwide supporting more than 60 million students.
according to court documentsUS District Judge Margaret R. Guzman on Tuesday sentenced Lane to four years in prison and ordered him to pay $14 million in restitution and a $25,000 fine.
Lane pleaded guilty in May 2025 to four federal charges of unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion and aggravated identity theft.
As the US Justice Department said in May, Lane and his associates used credentials stolen from a subcontractor to break into a maintenance tool on December 19, 2024, to download the education software giant’s PowerSource customer support portal and school database containing personal information of 9.5 million teachers and 62.4 million students from 6,505 school districts around the world.
After stealing a wide range of sensitive data belonging to students and faculty, including full names, physical addresses, phone numbers, passwords, parental information, contact details, social security numbers, and medical data of affected students and teachers, they sent a ransom demand of $2.85 million in Bitcoin on December 28.
The ransom letters claimed to be from Shiny Hunters, a notorious threat group linked to multiple breaches, including the 2022 AT&T data breach that affected 109 million people, the Snowflake data theft attack, and a wave of Salesforce breaches.
While PowerSchool did pay a ransom to stop the data leak, it is still unclear how much was paid. Even though they were paid, Lane and his co-conspirators attempted to personally extort affected school districts to pay additional ransoms to prevent the leak of student data.
In March, PowerSource also disclosed that threat actors had previously breached PowerSource in August and September 2024 using the same compromised credentials, but a CrowdStrike investigation of the incidents did not find evidence linking the same attacker to all three breaches.
Last month, Texas Attorney General Ken Paxton sued PowerSchool for failing to protect data belonging to Texas families and school districts and for misleading customers about its security practices.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
