RALEIGH — A 19-year-old has pleaded guilty to cybercrimes, including the December 2024 data breach of PowerSchool, a student and teacher information database system with 55 million users worldwide.
Matthew D. Lane, a resident of Worcester, Massachusetts, pleaded guilty to four federal charges related to cybercrimes and aggravated identity theft, according to a plea agreement filed May 20 in the U.S. District Court for the District of Massachusetts.
“Cyber extortion is a serious attack on our economy and on all of us,” said United States Attorney Leah B. Foley in a press release.
Lane, a student at Assumption University in Worcester, admitted to conspiring to threaten the confidentiality of information from a protected computer, unauthorized access to obtain data and identity theft, causing losses estimated between $9.5 million and $25 million.
“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars,” said Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “He also allegedly conspired to extort more money from a telecommunications provider over its confidential data.”
The court filing accuses Lane of targeting two victims, referred to as Victim 1 and Victim 2. The description of the activities, ransom, and compromised teacher and student data implies Victim 2 is PowerSchool.
In April 2024, Lane, along with “co-conspirator CC-1” and others, initiated a cyberextortion scheme targeting Victim 1, aiming to extract a $200,000 ransom by threatening to leak stolen data, according to court filings.
Lane allegedly used an anonymized email to demand the ransom in Bitcoin, communicating with CC-1 via the encrypted Signal app to coordinate their efforts. By April 25, Lane had sent samples of the stolen data to Victim 1.
Throughout late April and early May, Lane and CC-1 are reported to have strategized via Signal to pressure Victim 1, with Lane reducing the ransom to $75,000 by May 8 and suggesting alternative plans to sell the data by May 14 if the ransom was unpaid.
In early September, Lane allegedly used stolen credentials from “Employee 1” to illegally access the computer network of Victim 2 (believed to be PowerSchool) and steal sensitive student and teacher data. On Dec. 19, Lane reportedly leased a server in Ukraine, transferring the stolen data there the next day.
Around 10 days later, Victim 2 received a ransom demand for 30 Bitcoin (a value of approximately $2.85 million) or the personal information of more than 60 million students and 10 million teachers would be compromised.
The plea agreement outlines a potential sentence of up to five years for each of three counts, plus a mandatory two-year consecutive term for identity theft, along with restitution, forfeiture of $160,981 and a $400 special assessment.
Lane waived his right to appeal a sentence of 111 months or less and agreed to forfeit assets, including cryptocurrency accounts. Sentencing is pending, with the U.S. Attorney recommending a term within the calculated guidelines range, 36 months of supervised release and no fine.
The plea deal follows a new round of ransom threats sent to 20 districts in North Carolina on May 7, according to the state’s Department of Public Instruction (NCDPI). The emails received by the districts were from “threat actors” who demanded Bitcoin in exchange for PowerSchool data they claimed to possess.
NCDPI’s Chief Information Officer Vanessa Wrenn and State Superintendent Mo Green indicated the data seemed to be the same as that stolen from PowerSchool in December 2024.
“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said during a virtual press conference on the threats. “Unfortunately, that, at least at this point, is proving to be incorrect.”
It is unclear at this time if the May threats to North Carolina districts, as well as those issued to other victims in Oregon and Canada, came from Lane and his co-conspirators.
North Carolina schools are switching from PowerSchool to Infinite Campus for the 2025-26 school year.
