Massachusetts man will plead guilty in PowerSchool hack case
A Massachusetts man will plead guilty to charges related to the hack of PowerSchool, the education software vendor that says it supports more than 60 million students, and that led to ransom demands at school boards and districts across the United States.
In court documents filed Tuesday, prosecutors spelled out charges against 19-year-old Assumption University student Matthew Lane and the terms of a plea bargain. While prosecutors didn’t name a victim firm, the description of the company matches that of PowerSchool. A source confirmed to CyberScoop that PowerSchool was one of the victims in Lane’s case.
It’s the first big break in a case that has been said to be the largest single breach ever of American schoolchildren’s data.
According to documents filed Tuesday, Lane and an unnamed co-conspirator obtained stolen victim data from a U.S. telecommunications company, which is not identified in the filings. When the first victim refused to pay a $75,000 ransom, Lane allegedly messaged the co-conspirator, saying “we need to hack another … company [that’ll] pay.” The documents state that in September, Lane used a PowerSchool contractor’s credentials to gain unauthorized access to PowerSchool’s networks, where he obtained student and teacher data.
A ransom demand followed in December, according to the documents. PowerSchool said it paid the ransom, but didn’t give the figure. Court documents say that the ransom demand threatened to release sensitive data on 10 million teachers and 60 million students if PowerSchool didn’t pay an amount of Bitcoin then worth nearly $2.9 million.
Last week a New York school district said the State Education Department’s chief privacy officer notified officials there that the group responsible for the attack went by the name “Shiny Hunters.” A source familiar with the incident told CyberScoop that Lane was affiliated with the outfit.
ShinyHunters is a cybercriminal group that emerged in April 2020 and has since been tied to several high-profile data breaches, including Microsoft’s GitHub, photo editing app Pixlr, clothing retailer Bonobos and telecom giant AT&T.
Lane will plead guilty to three of the four charges prosecutors had leveled at him: threatening to impair the confidentiality of information obtained from a protected computer without authorization and aiding and abetting; accessing a protected computer without authorization and aiding and abetting; and aggravated identity theft.
An attorney for Lane did not immediately respond to a message seeking comment Tuesday.
Federal authorities celebrated the outcome.
“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data,” said Kimberly Milka, acting special agent in charge of the Federal Bureau of Investigation’s Boston division. “This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law.”
Matt Kapko and Greg Otto contributed reporting for this story.
