A Massachusetts man has agreed to plead guilty to hacking into one of the top education tech companies in the United States and stealing tens of millions of schoolchildren’s personal information for profit.
Matthew Lane, 19, of Worcester County, Massachusetts, signed a plea agreement related to charges connected to a major hack on an educational technology company last year, as well as another company, according to court documents published Tuesday.
While the documents refer to the education company only as “Victim-2” and the U.S. attorney’s office declined to name the victim, a person familiar with the matter told NBC News that it is PowerSchool. The hack of PowerSchool last year is believed to be the largest breach of American children’s sensitive data to date.
According to his plea agreement, Lane admitted obtaining information from a protected computer and aggravated identity theft and agreed not to challenge a prison sentence shorter than nine years and four months. He got access simply by trying an employee’s stolen username and password combination, the complaint says, echoing a private third-party assessment of the incident previously reported by NBC News.
Companies like PowerSchool, which develop software programs to help schools manage students, data and educational programming, have grown in recent years, especially during the Covid pandemic, when many schools shifted to remote learning. Cybersecurity experts have warned that as student information becomes increasingly digitized, it becomes more of a target for criminal hackers and identity thieves.
In December, PowerSchool realized someone had broken into a customer database and downloaded the personal information — including names, addresses, birthdays and, in some cases, Social Security numbers and medical information — of 62 million kids when it received an extortion demand for about $2.85 million in bitcoin.
PowerSchool paid the hackers for a video of them claiming to delete their only copy of the data. But cybercriminals have since sent extortion emails to schools in Canada and North Carolina proving they have the data.
“We do not believe this is a new incident, as samples of data match the data previously stolen in December,” PowerSchool said in a statement May 7. “We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized by bad actors.”
According to the complaint, Lane was responsible for hacking into PowerSchool, though it doesn’t make clear whether he or another person or group was responsible for the extortion efforts. The complaint cites an unnamed co-conspirator of Lane’s and other unnamed cybercriminals who worked together to hack and extort another company.