Gen Z Hacker Sentenced for Massive PowerSchool Data Breach Impacting Thousands of Students
A 20-year-old Massachusetts man, Matthew Lane, has been sentenced to four years in federal prison for orchestrating a 2024 cyberattack on PowerSchool, a K-12 software platform used by schools across Illinois. The breach exposed sensitive data belonging to thousands of students, teachers, and parents, including credit information and personal records.
Lane, who pleaded guilty to charges of unauthorized computer access, identity theft, and cyber extortion, admitted to hacking the system while dual-majoring in cybersecurity and computer science. He expressed remorse in an exclusive interview with ABC News, stating he was "addicted to hacking" and acknowledged the lifelong impact on victims. "I took their sense of security," he said.
The attack prompted affected families, like that of Elena Cutri whose three children attend Elmhurst District 205 to freeze their credit after receiving breach notifications. PowerSchool confirmed paying a nearly $3 million Bitcoin ransom to the hackers, though it remains unclear how much Lane and an unnamed co-conspirator received. The company later provided two years of credit monitoring and identity protection to those affected.
FBI Supervisory Special Agent Doug Domin described the incident as one of the most financially damaging cases he’s seen, emphasizing the lasting consequences for victims. While Lane acted independently, authorities warn of a growing trend of young hackers some recruited via social media and gaming platforms being exploited by criminal organizations.
Lane was ordered to pay over $14 million in restitution and will serve his sentence starting in November 2025. The FBI continues to investigate potential co-conspirators. PowerSchool stated it has since reinforced security measures to protect student and educator data.
Elmhurst District 205 Public Schools cybersecurity rating report: https://www.rankiteo.com/company/elmhurst-public-schools
"id": "ELM1776140821",
"linkid": "elmhurst-public-schools",
"type": "Breach",
"date": "1/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of students, '
'teachers, and parents',
'industry': 'Education Technology',
'location': 'Illinois (and other U.S. schools using '
'PowerSchool)',
'name': 'PowerSchool',
'type': 'EdTech Software Provider'}],
'attack_vector': 'Unauthorized computer access',
'customer_advisories': 'Breach notifications sent to affected families; '
'credit monitoring and identity protection offered.',
'data_breach': {'number_of_records_exposed': 'Thousands',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, credit information)',
'type_of_data_compromised': 'Credit information, personal '
'records, personally identifiable '
'information (PII)'},
'date_detected': '2024',
'description': 'A 20-year-old Massachusetts man, Matthew Lane, has been '
'sentenced to four years in federal prison for orchestrating a '
'2024 cyberattack on PowerSchool, a K-12 software platform '
'used by schools across Illinois. The breach exposed sensitive '
'data belonging to thousands of students, teachers, and '
'parents, including credit information and personal records.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Sensitive student, teacher, and parent data '
'(credit information, personal records)',
'financial_loss': '$3 million (ransom paid) + $14 million '
'(restitution ordered)',
'identity_theft_risk': 'Yes (credit freezes required for affected '
'families)',
'legal_liabilities': 'Yes (fines, restitution, legal actions)',
'payment_information_risk': 'Yes (credit information exposed)',
'systems_affected': 'PowerSchool K-12 software platform'},
'investigation_status': 'Ongoing (FBI investigating potential '
'co-conspirators)',
'lessons_learned': 'Growing trend of young hackers being exploited by '
'criminal organizations; need for stronger security '
'measures in EdTech platforms; long-term consequences of '
'cyber extortion for victims.',
'motivation': 'Cyber extortion, financial gain, addiction to hacking',
'post_incident_analysis': {'corrective_actions': 'Reinforced security '
'measures, credit monitoring '
'for affected individuals.',
'root_causes': 'Unauthorized access by hacker with '
'cybersecurity/computer science '
'background; potential exploitation '
'by criminal organizations.'},
'ransomware': {'ransom_paid': 'Nearly $3 million (Bitcoin)'},
'recommendations': 'Enhanced security protocols for EdTech platforms, credit '
'monitoring for affected individuals, awareness of social '
'media/gaming platform recruitment risks for young '
'hackers.',
'references': [{'source': 'ABC News'},
{'source': 'FBI'},
{'source': 'PowerSchool Statement'}],
'regulatory_compliance': {'legal_actions': 'Yes (federal charges: '
'unauthorized computer access, '
'identity theft, cyber extortion)'},
'response': {'communication_strategy': 'Breach notifications to affected '
'families, public statements',
'law_enforcement_notified': 'Yes (FBI)',
'remediation_measures': 'Reinforced security measures, credit '
'monitoring and identity protection for '
'affected individuals'},
'threat_actor': 'Matthew Lane (and unnamed co-conspirator)',
'title': 'Gen Z Hacker Sentenced for Massive PowerSchool Data Breach '
'Impacting Thousands of Students',
'type': 'Data Breach, Ransomware, Cyber Extortion'}