Name: Mass. college student pleads guilty in case tied to hack that exposed NC students, teachers
Uploaded: 2025-05-21T21:27:00+00:00
Duration: 2 min 24 s
Description: Matthew Lane, 19, was charged with cyber extortion conspiracy, cyber extortion and aggravated identity theft, according to federal prosecutors. PowerSchool, a student data company, was among Lane’s victims, state officials say.

Matthew Lane, 19, was charged with cyber extortion conspiracy, cyber extortion and aggravated identity theft, according to federal prosecutors. PowerSchool, a student data company, was among Lane’s victims, state officials say.

A Massachusetts college student has pleaded guilty to hacking charges in a case tied to a company that manages data for millions of current and former North Carolina public school students, federal prosecutors said Wednesday.

Prosecutors charged Matthew Lane, 19, with hacking PowerSchool’s system and facilitating a September 2024 data breach. The dates of the breach described by prosecutors align with a cyberattack timeline described in a security audit of the California student data company. The company has said a recent cyberattack exposed records for students and teachers worldwide — a breach that potentially exposed the private information of millions of North Carolina teachers, students, and parents, officials say.

Other WRAL Top Stories

Lane, of Worcester County, Massachusetts, entered a plea deal with federal prosecutors Tuesday. He was charged with cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft, prosecutors said.

“This hacker compromised the personal data of millions of people in our state and I’m glad to see he is being brought to justice,” Attorney General Jeff Jackson said in a statement. “... My office will continue its investigation into PowerSchool’s role in this event."

Students and staff affected by the data breach have until July 31 to enroll in free identity protection and credit monitoring, which is being paid for by PowerSchool.

PowerSchool had told schools in January that it paid a ransom to a hacker and watched the data be deleted via video, before expressing confidence the data would not be leaked, WRAL reported this month. Days after WRAL’s report, some North Carolina school employees began receiving threatening messages from someone claiming to have the data and asking for bitcoin to keep the data secure.

A spokesperson for PowerSchool said Wednesday that the company was aware of the federal filings and directed questions to the U.S. Attorney in Massachusetts.

An attorney representing Lane didn’t immediately respond to a request seeking comment.

Some of the charges were tied to a cyber attack on another company. Federal prosecutors say Lane and unidentified co-conspirators stole data from a telecommunications company in May 2024 and demanded $200,000 in bitcoin to keep from leaking the data. When the company resisted paying the ransom, Lane lowered his demand to $75,000 before telling a co-conspirator, "we need to hack another... company that['ll] pay," prosecutors alleged in court documents.

Lane then used the credentials of a contractor of a second company specializing in school data to access that company’s network, prosecutors alleged. Prosecutors didn’t name the second company in court filings, but the events match those described by PowerSchool in previous disclosures. Jackson also said Lane was charged with hacking PowerSchool.

On Dec. 19, federal prosecutors say, Lane leased a server in Ukraine and transferred data from PowerSchool onto that server the next day. On Dec. 28, the company received a ransom request for about $2.85 million in bitcoin, threatening to otherwise release the data of about 60 million students and 10 million teachers worldwide, prosecutors said.

“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” a PowerSchool said in a statement May 7. “It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

Lane pleaded guilty to two cyber extortion charges related to conspiring to extort the first company and transmitting the threat across state lines. His other two guilty pleas were related to unauthorized access of the other company’s network and using the contractor’s credentials to access the network.

Lane faces up to 17 years in prison and potential fines or forfeiture. Prosecutors are recommending at least $161,000 in forfeitures.