A Massachusetts man who infiltrated the network of education software provider PowerSchool and stole data from millions of students and teachers has been sentenced to four years in federal prison.
U.S. District Judge Margaret Guzman in Worcester, Massachusetts, handed down the sentence to 20-year-old Matthew Lane on Tuesday.
Lane had pleaded guilty in June to multiple charges, including cyber extortion, aggravated identity theft, and unauthorized computer access. The cyberattack targeted two companies, one of which was PowerSchool, based in Folsom, California.
According to court documents, the breach at PowerSchool in December exposed highly sensitive data for over 60 million students and 10 million teachers across the United States—just weeks before the company publicly confirmed the incident.
Alongside his prison sentence, Judge Guzman ordered Lane to pay over $14 million in restitution and a $25,000 fine, as stated by the U.S. Attorney Leah Foley’s office.
A PowerSchool spokesperson said in a statement that the company “appreciates the efforts of the prosecutors and law enforcement who brought this individual to justice.” Lane’s attorney did not respond to requests for comment.
Exploiting Stolen Credentials and Demanding Ransom
Prosecutors revealed that Lane was a student at Assumption University in Worcester when the cybercrimes occurred. They said that in mid-2024, he exploited credentials obtained from a previous telecommunications company breach.
Posing as a member of a notorious hacking collective, Lane demanded a $200,000 ransom from that company, threatening to leak its data if payment was not made.
Shortly afterward, Lane used those stolen login details to break into PowerSchool’s systems, where he extracted massive troves of student and teacher information.
Within days, PowerSchool received a chilling ultimatum: unless the company paid $2.85 million in bitcoin, the hacker would release the stolen names, addresses, Social Security numbers, and other private data.
Prosecutors said the ransom demand originated from the same hacking group Lane had previously claimed affiliation with. PowerSchool ultimately chose to pay the ransom to prevent the exposure of the sensitive data.
Lane’s sentencing marks one of the most significant cybercrime cases involving the education sector in recent years, underscoring the growing vulnerability of institutions holding large amounts of student and teacher information.
Read next: Special Education Programs Left Crippled After Trump Administration’s Mass Layoffs