PowerSchool Data Breach and Ransom Attempt by Matthew Lane
Matthew Lane, a 19-year-old from Massachusetts, was convicted for hacking into the educational technology company PowerSchool and stealing sensitive personal data belonging to over 60 million students and 9 million teachers. Lane accessed PowerSchool's databases using sophisticated techniques, including VPNs, foreign servers, and stolen credentials, to evade detection. After obtaining the data, he demanded a ransom of $2.9 million, threatening to leak the information if his demands were not met. The exposed data included Social Security numbers, special education status, and medical conditions, putting millions at risk of identity theft and privacy violations. The breach became public in January, prompting PowerSchool to incur over $14 million in costs, which included providing identity theft monitoring for affected individuals. Prosecutors highlighted Lane's history of cybercrime, noting that he had previously targeted at least seven other victims, including foreign government entities, since 2021. In addition to the PowerSchool incident, Lane pleaded guilty to hacking a telecommunications firm in 2024 and demanding a $200,000 ransom. Prosecutors described Lane as acting out of greed, using the proceeds from his crimes to fund housing and luxury purchases, despite having legitimate career opportunities in technology. Lane also advised a co-conspirator on operational security, instructing them to use burner phones and wear gloves and masks when withdrawing money from ATMs with stolen cards. The court sentenced Lane to four years in prison, less than the seven years sought by prosecutors, and ordered him to pay approximately $14 million in restitution and a $25,000 fine. The sentencing memorandum detailed the significant impact of the breach on PowerSchool, including financial losses and reputational damage. The case underscores the growing threat of cyberattacks targeting educational institutions and the severe consequences for perpetrators. Prosecutors emphasized the need for deterrence, citing Lane's calculated and repeated offenses. The incident has raised concerns about the security of student and teacher data held by technology vendors. PowerSchool's response included notifying affected individuals and enhancing its cybersecurity measures. The case has drawn attention from both cybersecurity professionals and the broader public due to the scale of the breach and the young age of the perpetrator. Lane's sentencing marks a significant legal outcome in the fight against cybercrime targeting the education sector.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Lane ordered to pay restitution, fine, and supervised release
The court ordered Lane to pay about $14 million to $14.1 million in restitution, a $25,000 fine, and three years of supervised release; he also forfeited about $161,000. One report said he was required to report to prison by December 1.
Court sentences Matthew Lane to four years in prison
In October 2025, a federal court sentenced 19-year-old Matthew Lane to four years in prison for the PowerSchool hack and extortion scheme. Prosecutors had sought a seven-year sentence, but the court imposed a shorter term.
Matthew Lane pleads guilty in federal case
Matthew D. Lane pleaded guilty to federal charges tied to the PowerSchool hack and a separate intrusion involving a U.S. telecommunications company. Prosecutors said his hacking activity formed a broader pattern dating back to 2021.
Attackers attempt follow-on extortion of school districts
After receiving payment from PowerSchool, the attackers allegedly used the retained data to extort individual school districts. This showed the ransom payment did not end the campaign.
PowerSchool pays ransom for non-disclosure and deletion assurances
PowerSchool ultimately paid the ransom in an effort to prevent the data from being leaked and to obtain assurances it would be deleted. Later reporting said the attackers retained the data despite the payment.
Attackers demand about $2.85M-$2.9M ransom from PowerSchool
After exfiltrating the data, the attackers demanded roughly $2.85 million to $2.9 million in Bitcoin while threatening to leak the stolen information. Prosecutors said the extortion was carried out while impersonating the ShinyHunters threat group.
PowerSchool breach becomes public
The PowerSchool incident was publicly disclosed in January 2025, revealing a massive breach involving student and teacher data. Prosecutors later described it as the largest known data breach involving American schoolchildren.
Attackers steal school databases in PowerSchool cyberattack
In December 2024, Matthew Lane and accomplices used a maintenance tool inside PowerSchool's environment to download school databases affecting thousands of school districts. The stolen data included sensitive personal information on more than 60 million students and about 9 million teachers.
PowerSource portal breached using stolen subcontractor credentials
Court filings said attackers used credentials stolen from a subcontractor to access PowerSchool's PowerSource customer support portal. BleepingComputer also reported earlier PowerSource breaches in August and September 2024 using the same compromised credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
PowerSchool hacker got four years in prison
securityaffairs.com
Open sourcePowerSchool hacker jailed for four years
scworld.com
Open sourcePowerSchool hacker sentenced to 4 years in prison
cyberscoop.com
Open sourcePowerSchool hacker sentenced to 4 years in prison
therecord.media
Open sourcePowerSchool hacker gets sentenced to four years in prison
bleepingcomputer.com
Open sourceTeen faces 7-year sentence over PowerSchool hack
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PowerSchool Breach Hacker Sentenced After Extorting Student and Teacher Data
Matthew Lane, a Massachusetts student, pleaded guilty and was later sentenced in a federal case tied to the breach of education software provider **PowerSchool**, an intrusion U.S. authorities described as the largest cyberattack in U.S. education history. Prosecutors said Lane used stolen contractor credentials and vulnerability-scanning tools to access the company’s network, then threatened to publish sensitive records unless he was paid about **$2.85 million in Bitcoin**. The compromised data reportedly covered roughly **60 million students** and **10 million teachers**, including names, phone numbers, addresses, Social Security numbers and, in some cases, medical information. Authorities said Lane also extorted a separate telecommunications company for **$200,000** by threatening to release customer data. The case triggered ransom payments and White House Situation Room briefings, and investigators later found that some stolen PowerSchool data was allegedly retained by another actor and reused in follow-on extortion attempts against school districts. Lane received a **four-year federal prison sentence** and was ordered to pay more than **$14 million in restitution**, while U.S. investigators continue pursuing alleged co-conspirators.
May 25, 2026
PowerSchool Breach Exposed Student and Teacher Data as Minnesota District Faced Suspected Ransomware
A breach tied to **PowerSchool**, a widely used K-12 software provider, exposed student and teacher information from school districts across the U.S., including New Jersey districts where officials said data on students and educators was stolen in a nationwide cyberattack. Reporting on the incident said the compromise affected records held by schools using the platform, raising concerns about the scale of exposure across the education sector and the security of sensitive K-12 data. Separately, **Spring Lake Park Schools** in Minnesota canceled classes and shut down technology systems after an outside actor gained unauthorized access to district networks in what officials described as a suspected ransomware incident. The disruption affected classes, child care, community education, and after-school programs, while the district worked with third-party cybersecurity experts, state law enforcement, and the **FBI** to contain the intrusion and restore operations; officials later said classes would resume and that they had no evidence at that point that personal information had been affected.
May 25, 2026
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026