A 19-year-old college student, Matthew Lane, hacked into PowerSchool a leading education technology company serving over 18,000 schools and 60 million students by compromising a contractor’s credentials in September 2023. In December, he exfiltrated sensitive data for tens of millions of individuals, including students, teachers, and parents, to a leased server. The stolen data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical records, residential addresses, guardian details, and passwords. Lane then demanded a ransom of ~30 bitcoin (~$2.85M), threatening to leak the data globally if unpaid. PowerSchool confirmed paying the ransom, but at least four school districts later received extortion demands tied to the same breach. The incident instilled widespread fear among families, imposed financial burdens on victims, and exposed highly sensitive personal information to criminal risks. The breach was disclosed to customers on January 7, 2024, with Lane facing prison time and forfeiture of ransom proceeds under a plea deal.
Source: https://therecord.media/college-student-to-plead-guilty-to-powerschool-hack
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "POW5775757112625",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "9/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Tens of millions (students, '
'teachers, parents/guardians '
'across multiple school '
'districts)',
'industry': 'EdTech/K-12 Education',
'location': 'California, USA',
'name': 'PowerSchool',
'size': 'Large (serves 18,000+ schools/districts, 60M+ '
'students, 9M+ teachers)',
'type': 'Education Technology Company'},
{'industry': 'Telecom',
'name': 'Unnamed Telecommunications Company',
'type': 'Telecommunications'},
{'customers_affected': 'Students, teachers, and '
'families (numbers undisclosed)',
'industry': 'Education',
'location': 'USA (specific locations undisclosed)',
'name': 'At least four individual school districts',
'type': 'School Districts'}],
'attack_vector': ['Credential Theft (Contractor)',
'Data Exfiltration to Leased Server',
'Ransom Demand'],
'customer_advisories': ['Direct communication with affected school districts'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Tens of millions (from 60M+ '
'students and 9M+ teachers)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, medical data, SSNs)',
'type_of_data_compromised': ['Names',
'Email addresses',
'Phone numbers',
'Social Security numbers',
'Dates of birth',
'Medical information',
'Residential addresses',
'Parent/guardian information',
'Passwords',
'Other sensitive data']},
'date_detected': '2023-12-28',
'date_publicly_disclosed': '2024-01-07',
'description': 'A 19-year-old Assumption College student, Matthew Lane, '
'hacked education tech giant PowerSchool in December 2023, '
'stealing sensitive data of tens of millions of students and '
'teachers (including names, email addresses, phone numbers, '
'Social Security numbers, dates of birth, medical information, '
'residential addresses, parent/guardian information, and '
'passwords). Lane demanded a ransom of ~30 bitcoin (~$2.85M) '
'on December 28, threatening to leak the data globally. '
'PowerSchool reportedly paid the ransom. Lane also targeted an '
'unnamed telecommunications company. He obtained a '
'contractor’s credentials in September 2023, accessed one '
'school district’s data initially, then exfiltrated broader '
'data in December. At least four school districts later '
'received extortion demands tied to the same breach. Lane '
'pleaded guilty to charges including aggravated identity '
'theft, unauthorized computer access, and cyber extortion, '
'facing at least two years in prison.',
'impact': {'brand_reputation_impact': 'High (trust erosion among 18,000+ '
'schools/districts and 60M+ '
'students/9M+ teachers)',
'customer_complaints': 'Likely (parents/families feared data '
'leakage)',
'data_compromised': True,
'financial_loss': '$2.85M (ransom paid in ~30 bitcoin) + '
'additional penalties/forfeitures (amount '
'undisclosed)',
'identity_theft_risk': 'High (SSNs, PII, medical data exposed)',
'legal_liabilities': ['Active litigation',
'Regulatory scrutiny (potential violations '
'of student data protection laws)'],
'operational_impact': 'Significant (breach response, customer '
'notifications, potential system '
'disruptions)',
'systems_affected': ['PowerSchool internal systems',
'Leased external server (for data storage)']},
'initial_access_broker': {'entry_point': 'Compromised contractor credentials '
'(September 2023)',
'high_value_targets': ['Student/teacher PII',
'Sensitive personal data'],
'reconnaissance_period': 'September–December 2023 '
'(accessed one district '
'initially, later '
'exfiltrated broader '
'data)'},
'investigation_status': 'Ongoing (Lane pleaded guilty; sentencing pending)',
'motivation': ['Financial Gain', "Notoriety ('notch in his hacking belt')"],
'post_incident_analysis': {'root_causes': ['Insufficient protection of '
'contractor credentials',
'Lack of detection for data '
'exfiltration over 3+ months']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '~30 bitcoin (~$2.85M at the time)',
'ransom_paid': True},
'references': [{'source': 'U.S. Department of Justice (Massachusetts federal '
'prosecutors)'},
{'source': 'PowerSchool public disclosure (January 7, 2024)'}],
'regulatory_compliance': {'legal_actions': ['Ongoing litigation',
'Criminal charges against Matthew '
'Lane (plea deal reached)'],
'regulations_violated': ['Potential violations of '
'student data protection '
'laws (e.g., FERPA, state '
'laws)']},
'response': {'communication_strategy': ['Public disclosure (January 7)',
'Statement emphasizing commitment to '
'customers'],
'containment_measures': ['Isolation of compromised systems '
'(assumed)',
'Ransom payment to prevent data leak'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Customer notifications (disclosed '
'January 7)',
'Direct engagement with affected '
'districts']},
'stakeholder_advisories': ['PowerSchool notified customers on January 7, '
'2024'],
'threat_actor': 'Matthew Lane (19-year-old Assumption College student)',
'title': 'PowerSchool Data Breach and Ransomware Extortion by Massachusetts '
'College Student',
'type': ['Data Breach', 'Ransomware', 'Extortion', 'Unauthorized Access'],
'vulnerability_exploited': 'Compromised contractor credentials (specific '
'vulnerability undisclosed)'}