A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers.
According to the U.S. Department of Justice, Matthew D. Lane pleaded guilty to four federal charges of one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.
The DOJ and court documents state that Lane and his conspirators breached a US-based telecommunications company in 2022, where they stole confidential customer information. During this breach, they also gained access to PowerSchool credentials belonging to an employee at the telecommunication company that acted as a contractor for PowerSchool.
After attempting to extort the telecom firm, the DOJ says they conducted an attack on an education company that would pay a ransom.
“On or about May 14, 2024, LANE messaged CC-1 that if Victim 1 did not pay the ransom, LANE and CC-1 could sell the Stolen Victim 1 Data. LANE further suggested, ‘we need to hack another . . . company that[‘]ll pay’,” reads the DOJ complaint.
While the complaint does not explicitly mention PowerSchool, sources told BleepingComputer that they are the education company referred to by the DOJ.
The complaint says that the threat actor used the credentials stolen from the PowerSchool contractor to breach the company and steal data for millions of students and faculty in December 2024.
As previously reported by BleepingComputer, threat actors breached PowerSchool’s support platform, PowerSource, and used a maintenance tool to download the school’s databases. These databases included the personal information of 62.4 million students and 9.5 million teachers from 6,505 school districts in the US, Canada, and other countries.
This data consisted of different information depending on the district, including students’ and faculty’s full names, physical addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, medical data, and grades.
The DOJ says that PowerSchool received a ransom demand for approximately $2.85 million in Bitcoin on December 28, 2024. The threat warned that if payment was not made, the stolen data would be leaked “worldwide.”
While BleepingComputer previously reported that PowerSchool paid a ransom demand to prevent the leak of data, it is still unclear how much was paid.
However, even after PowerSchool paid the ransom, the threat actors attempted to individually extort impacted school districts into paying further ransoms not to leak student data.
According to school notices and DataBreaches.net, these ransom demands claimed to be from Shiny Hunters, a prolific group of threat actors known for a wide range of breaches, including the SnowFlake data theft attacks and a 2022 data breach at AT&T that impacted 109 million people.
While many of the threat actors involved in the SnowFlake and AT&T attacks have been arrested over the past year [1, 2, 3], it’s possible that other members carried out the attacks, or that copycats are attempting to plant a false flag
In addition to the PowerSchool breach, Lane also faces charges for the attempt to extort the U.S.-based telecommunications company, where they demanded a $200,000 ransom and made threats against company executives if the ransom was not paid.
Lane has agreed to plead guilty to all four counts and faces a mandatory minimum sentence of two years for identity theft and up to five years on each of the other charges.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
