Computer hacker and former college student Matthew Lane 鈥� who was a teenager when he carried out a massive cyberattack on education technology company PowerSchool 鈥� was sentenced in federal court on Tuesday to four years in prison and ordered to pay more than $14 million in restitution.聽

Lane, a former Assumption University freshman who federal prosecutors described as a sophisticated and experienced cybercriminal, told a federal judge that his crimes occurred during an 鈥渆xtremely dark time in my life,鈥� but acknowledged, 鈥淚 deserve to be punished.鈥� In June, Lane pleaded guilty to what is widely considered the largest exposure of private student data in history, a breach that compromised the sensitive information of some 60 million students and 10 million educators.

鈥淚 robbed actual people and their families of their sense of security,鈥� Lane, now 20, told U.S. District Court Judge Margaret Guzman, his shaggy hair obscuring his eyebrows and the tops of his glasses, adding he was 鈥渢hankful I got caught.鈥�

Lane said he takes 鈥渇ull responsibility” for his crimes but that he was 鈥渄isconnected from reality鈥� while he engaged in hacking. He has since become 鈥渟ober not just from drugs, but from the internet as well,” he told Guzman.

Accompanied in court by family members and several friends, Lane broke down and sobbed after learning his sentence, which includes three years of supervised release and a $25,000 fine.

He was convicted of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft. Federal prosecutors were seeking a seven-year prison term, describing Lane in a sentencing memo as being motivated by greed and said the threat to Powerschool warned, 鈥渨e fully intend to destroy your company and bankrupt it to the point of no absolute return 鈥� if it didn鈥檛 meet a $2.85 million ransom demand in Bitcoin.

尝补苍别鈥檚 sentencing concludes a yearlong cybercrime saga, which began in September 2024 when prosecutors say he hacked into PowerSchool鈥檚 computer network and transferred stolen records to a leased server in Ukraine. About three months later, PowerSchool officials received the extortion demand to prevent sensitive student and teacher data 鈥� including the Social Security numbers of children as young as 5 鈥� from being leaked 鈥渨orldwide.鈥� 

Lane also pleaded guilty to working with an unnamed co-conspirator from Illinois to extort $200,000 from an unnamed U.S.-based wireless telecommunications company between April and May 2024 before he discussed the 鈥渘eed to hack another shitty company that[鈥橾ll pay鈥� and set his sights on PowerSchool. 

Guzman, who appeared sympathetic to 尝补苍别鈥檚 young age at the time he carried out multiple cyberattacks, said the case should serve as a cautionary tale to parents everywhere and expressed alarm about the 鈥渂readth and reach of technology鈥� to commit crimes anonymously. Guzman said the challenges Lane faced as a teenager, including social isolation and struggles to fit in with his peers, made him 鈥渧ulnerable to falling through the rabbit hole.鈥� 

Guzman said society can鈥檛 go back to the days of typewriters and television sets with just five channels. But parents have placed computers in their children’s bedrooms and provided cell phones to grade schoolers without proper guardrails. Lane, she said, won鈥檛 be the last one to exhibit 鈥渂ravado behind the screen of a computer.鈥� 

Defense attorney Sean Smith asked the judge to sentence Lane to three years in prison and three years of supervised release. Smith said Lane was 鈥渧ery much cognizant of the seriousness鈥� of his offenses and that he pleaded guilty and 鈥渁dmitted fault almost from the get-go.鈥� 

Smith said Lane was a teenager when the cyberattacks unfolded and had no previous convictions. Letters of support submitted by family members to the court made clear Lane was 鈥渁 generous, loving, patient individual,鈥� who grappled with loneliness, depression and anxiety.

The seriousness of 尝补苍别鈥檚 actions 鈥渃an鈥檛 be overstated,鈥� said Assistant U.S. Attorney Kristen Kearney, who called his behavior 鈥渃alculated.鈥� The PowerSchool data breach has caused real harm to millions of people, she said, who now face stifled job prospects, heightened insurance costs and other harms that will follow them 鈥渇or the rest of their lives.鈥� 

Kearney noted that Lane made several efforts to conceal his identity and avoid detection and was financially motivated: He desired designer clothes and jewelry, she said, and to 鈥渉ost parties at extravagant Airbnbs.鈥� 

Lane 鈥渄id not make a teenage mistake鈥� or get 鈥渕ixed up with the wrong crowd,鈥� she argued, but carried out 鈥渃arefully planned attacks鈥� for financial gain. Personal statements that put Lane in a positive light, she said, showed he was living 鈥渁 double life.鈥� In the online world, she said, digital chat messages included racial slurs, antisemitism and threats of sexual violence. 

The prosecutor challenged 尝补苍别鈥檚 request for a three-year prison sentence, arguing that other cybercriminals could see it as the cost of doing business if they have millions of dollars in cryptocurrency waiting for them after their release. Lane returned about $160,000 to the government, according to a sentencing memo released last week, but roughly $3 million remains unaccounted for. 

Kearney also disputed Smith鈥檚 assertion that Lane was a first-time offender at the time of the PowerSchool breach, despite his absence of a criminal record. Last week, federal officials accused him of carrying out at least eight cyberattacks dating back to at least 2021 when he was still in high school.

Prosecutors said the PowerSchool attack resulted in more than $14 million in damages, including the ransom payment and identity theft services for the students and teachers who were victimized. 

In a statement to 社区黑料 on Tuesday, PowerSchool said it 鈥渁ppreciates the efforts of the prosecutors and law enforcement who brought this individual to justice鈥� and that the company remains focused on 鈥渟upporting our school partners and safeguarding student, family and educator data.鈥�

After the sentencing hearing, a tearful Lane, who wasn鈥檛 immediately taken into custody, was embraced by friends and family members. 

鈥淚鈥檓 sorry, guys,鈥� he said to four friends outside the courtroom, exchanging hugs and handshakes before getting into an elevator. 鈥淚 love you guys.鈥�

The Massachusetts teenager set to be sentenced next week for  was a 鈥渟easoned cybercriminal鈥� who has targeted educational institutions, government agencies and corporations since 2021, my latest investigation reveals. 

Good morning and thank you for tuning in for a special edition of . Today, I turn your attention to Matthew Lane, who was a 19-year-old college freshman when he pleaded guilty earlier this year to carrying out a cyberattack on PowerSchool, stealing sensitive data from millions of students and teachers and leveraging it into 

In my latest story published this morning, I reveal how  according to threat intelligence research conducted by the cybersecurity company Cyble and provided exclusively to 社区黑料. The company鈥檚 findings, which mirror sentencing documents released by federal prosecutors on Wednesday, conclude that Lane used advanced techniques to take down his targets including PowerSchool 鈥� a cyberattack attack that represented 鈥渁 predictable escalation rather than an isolated incident.鈥�

Federal prosecutors used similar language, maintaining that 尝补苍别鈥檚 鈥渃rimes were not a mistake resulting from an isolated lapse in judgment,鈥� but rather part of a pattern of criminal cyber activity that dates back to at least 2021.

In an analysis of digital fingerprints and data breaches, Cyble analysts concluded that Lane had been  when he was still in high school. Targets included an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces, Cyble said. In Wednesday鈥檚 memo, prosecutors allege that Lane has hacked at least eight targets, including 鈥渇oreign government entities.鈥� To this day, prosecutors said, most of the millions of dollars he extorted remains unaccounted for.

In federal district court in Worcester, Massachusetts, on Tuesday, they will ask the judge to sentence Lane, who was known to many in his life as a soft-spoken gamer and skilled computer programmer, to seven years in prison and more than $14 million in restitution. 

Sterling, Massachusetts聽

Matthew Lane peeked his head through a window at his parents鈥� house on a wooded, winding road, and, with apprehension, opened the front door. 

The chime of the doorbell at the gray, two-story house, which sent the family dog into a fit, wasn鈥檛 expected 鈥� or welcomed. 

尝补苍别鈥檚 had been the subject of speculation and intrigue since May when federal prosecutors announced the rail-thin, shaggy-haired 19-year-old college freshman had confessed to a ransomware attack on education technology behemoth PowerSchool. 

Federal prosecutors accused Lane of collaborating with at least one unnamed co-conspirator to steal the sensitive records of more than 60 million students and 10 million educators. Claiming to be part of a “notorious hacking group,鈥� he used the stolen data to extort nearly $3 million from California-based PowerSchool. Though charging documents describe the education technology company as 鈥淰ictim 2,鈥� extensive details released by the government align with the company鈥檚 disclosure about the breach. 

Lane pleaded guilty to the breach 鈥� widely considered the largest exposure of private student data in history 鈥� in June and is scheduled to be sentenced in federal court on Tuesday. 

“Money and greed” motivated his actions, released on Wednesday that states Lane wanted 鈥渢o buy designer clothes, diamond jewelry and luxury vehicles鈥� while spending funds on “extravagant rental apartments and near daily fast-food delivery.鈥� Lane returned about $160,000 to the government, but roughly $3 million remains unaccounted for, according to the sentencing report.

Federal prosecutors, who charged him with computer fraud and aggravated identity theft, are seeking a seven-year prison sentence and more than $14 million in restitution.

His 鈥渃rimes were not a mistake resulting from an isolated lapse in judgment,鈥� the memo alleges, but rather part of a pattern of criminal cyber activity that dates back to at least 2021, when he was still in high school. His targets include at least eight victims total, 鈥渞anging from a school athletic association to private companies to foreign governments.鈥� 

Open-source reporting and a threat intelligence report obtained by 社区黑料 from cybersecurity firm Cyble reveal details of what that past cyber crime life looked like. They provide evidence that , who was known on the Worcester, Massachusetts, campus for being socially reserved, took on flamboyant, meme-inspired personas in online cybercrime communities that were highly active for years. 

In the physical world, Lane appeared to keep a low profile around town 鈥� and he hoped to keep it that way. 

鈥淧lease leave鈥� Lane told a reporter who traveled to his hometown in August to learn more about the teenager described by federal prosecutors as 鈥渉iding behind his keyboard鈥� to carry out 鈥済et rich quick鈥� cyberattacks.

尝补苍别鈥檚 attorney, Sean Smith, didn鈥檛 respond to requests for comment.

Prosecutors said Lane “grew up in a safe, small town鈥� with what the teenager himself described as “loving and nurturing parents” and close relationships with all his family members. It was here in Sterling 鈥� a middle-class enclave of fewer than 8,000 residents 鈥� where neighbors watched a parade of Federal Bureau of Investigation agents park outside the Lane residence and conduct an early-morning raid this spring.

For cybersecurity professionals following the PowerSchool case, 尝补苍别鈥檚 indictment, which was publicized by federal law enforcement as a major score in their crackdown on cybercrime rings, . Among them, to a network of young, for and

Cyble leverages open-source intelligence techniques and proprietary tools to track the online behaviors of threat actors and help businesses manage their cyber risks. The firm provided threat intelligence research exclusively to 社区黑料 that aligns with prosecutors鈥� assertions in 尝补苍别鈥檚 sentencing report. 

Cyble researchers identified digital personas it connected to Lane and tracked their account behaviors on a cybercrime forum and across the web. These threat-actor accounts 鈥渟ystematically targeted educational institutions, government agencies and corporate networks since 2021,鈥� citing the same year as federal prosecutors. 

These earlier hacks and data breaches, Cyble said, affected an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces. 

To bring down targets without detection, the threat actor behind the accounts leveraged the techniques of 鈥渆xperienced hackers,鈥� Cyble Chief Product Officer Kaustubh Medhe said. The PowerSchool hack was 鈥渁 predictable escalation rather than an isolated incident,鈥� Cyble analysts concluded, and was not the work of a 鈥渇irst-time offender鈥� but rather 鈥渁 seasoned cybercriminal.鈥� 

鈥淲e wouldn鈥檛 treat him like an amateur,鈥� Medhe said. 鈥淚n no way can we say that he was just a young kid who struck rich.鈥�

The sentencing report similarly describes 尝补苍别鈥檚 conduct as 鈥渟ophisticated, involving virtual private networks, eSIMs (a digital, more secure version of a physical card), anonymized email addresses and phone numbers, stolen credentials and foreign servers.鈥�

Federal prosecutors accused Lane of working with a co-conspirator to extort $200,000 from a U.S.-based wireless telecommunications company before discussing the “need to hack another shitty company that[鈥橾ll pay.” 

PowerSchool became that next victim, prosecutors say.

The extortion pipeline

Online fingerprints that Cyble used to connect the digital aliases 鈥�,鈥� 鈥渘etsaosa,鈥� 鈥渇uckmarykill鈥� and others to Lane show they have been exploiting vulnerabilities since the defendant was barely old enough to drive. Then the hacker bragged about it. 

On a now-defunct online cybercrime marketplace, that security researchers pegged to Lane, in part from an exposed IP address,  appeared to boast of attention-grabbing exploits: 鈥渋ve been on news sites a few times,鈥� g0re wrote in a signature line. 

As news of 尝补苍别鈥檚 connection to the PowerSchool case circulated around Sterling, neighbors said they were thankful  he wasn鈥檛 arrested for dealing drugs. But few people knew the young man accused of carrying out the crime. 

鈥淚鈥檝e never heard of him, but he can go to hell,鈥� said one patron at B-Man鈥檚 140 Tavern, a biker bar on the outskirts of town that鈥檚 known as a hub for local gossip. A police department dispatcher said she didn鈥檛 know anything about the case beyond the highlights that made the local news and the executive director of the local public access television station said he was similarly out of the loop. 

To people who knew Lane, the indictment was a shock. Neighbors, former classmates and a college professor described him as a soft-spoken gamer and a skilled computer programmer. 

One former classmate, Quinton Brien, said Lane didn鈥檛 鈥渟eem interested in school鈥� and recalled the high schooler selling nicotine vapes to his underage classmates. His class portraits appear in the regional high school yearbook, but he doesn鈥檛 show up as participating in any sports teams or extracurricular clubs. 

High school friend Pia Bogieczyk said Lane is 鈥渒ind of goofy鈥� and introverted. The two bonded over the video games Minecraft and Fortnite, Bogieczyk said, and although her friend was a computer wiz, she didn鈥檛 expect him to get caught up in cybercrime. 

鈥淚 figured he would be good enough at computer stuff to do that, if that makes sense,鈥� she told 社区黑料, but 鈥淚 didn’t think he would be using his skills for malicious purposes.鈥�

On X, attributed to Lane offers insights into his personality 鈥� and his connections. The profile features a hatred of Hallmark Christmas movies, a disclosure of being 鈥渕entally ill,鈥� a love for video games and a deep interest in anime 鈥� especially a dystopian Japanese cartoon about a lonely girl who immerses herself in an interconnected and increasingly strange digital world. 

The account also for Conor Fitzpatrick, who was a New York teenager when he , an online community where hackers sold stolen data and hacking tools. Fitzpatrick was and in September was for launching what federal officials called 鈥渙ne of the world鈥檚 largest English language hacking forums.鈥� BreachForums, which has suffered several data breaches itself, has been  

Cyble analysts found these online aliases鈥� forays into hacking began with benign efforts to identify and report computer security flaws before progressing over several years to leaking original data breaches 鈥渁nd ultimately to extortion.鈥� 

鈥楢 notch in his hacking belt鈥�

When federal officials announced , the Department of Justice accused the teenager of using stolen credentials in September 2024 to hack into PowerSchool鈥檚 computer network and transfer sensitive files to a leased server in Ukraine. On the night he leased the server, Lane told his girlfriend he was 鈥済onna be on the laptop鈥� because 鈥淚 just need to actually make $ for a second,鈥� according to the sentencing report.

About three months later, in December, PowerSchool officials received a demand for about $2.85 million in Bitcoin to prevent sensitive student and teacher data 鈥� including the Social Security numbers of children as young as 5 鈥� from being leaked 鈥渨orldwide.鈥� 

鈥淔inal note, we fully intend to destroy your company and bankrupt it to the point of no absolute return if the ransom is not paid,鈥� the hacker warned PowerSchool, according to the sentencing memo. The attack cost the company more than $14 million, according to the court documents, including the ransom payment and identity theft services for the students and teachers who were victimized. 

The cybercrime was 鈥渁 serious attack,鈥� U.S. Attorney Leah Foley said in a press release, and that Lane 鈥渋nstilled fear in parents that their kids鈥� information had been leaked into the hands of criminals 鈥� all to put a notch in his hacking belt.鈥�  

In interviews with federal law enforcement after they searched his college dorm, Lane initially “fabricated a story about receiving packages of cash,” denied engaging in extortion “and only admitted his conduct when faced with his indisputable text messages,” according to charging documents. 

The PowerSchool data breach made international headlines earlier this year in part because it encompassed highly sensitive records about students, including their mental health and . The company, acquired by the Boston-based private equity firm Bain Capital for $5.6 billion last year, operates a digital platform that helps schools track students鈥� attendance, grades and other data. More than 18,000 educational institutions globally and 90 of the 100 largest U.S. school districts rely on PowerSchool software, the company claims. 

The company, which has faced criticism for delays in notifying affected students and educators about the ransomware attack, was hit with dozens of lawsuits over its failure to keep sensitive data secure. In September, Texas Attorney General Ken Paxton announced a lawsuit against the vendor, accusing it of about the strength of its cybersecurity features. 

PowerSchool is 鈥渃ommitted to protecting student data and ensuring the safety of our systems,鈥� a company spokesperson said this week in a statement to 社区黑料.

鈥淔ollowing the 2024 security incident, we promptly notified our customers and provided ongoing updates as new information became available,鈥� the statement reads. 鈥淲e continue to work closely with affected districts and law enforcement to ensure transparency and accountability.鈥�

PowerSchool , but quickly backtracked to disclose it paid the cybercriminals an unspecified extortion demand to keep students鈥� sensitive records from spreading online. 

Then, local school leaders in several states . In May, district administrators reported receiving ransom demands for cryptocurrency payments to stop their stolen PowerSchool records from being exposed. In North Carolina, the state education department received a demand from a threat actor a cybercrime group that鈥檚 taken credit for .

That email, obtained by the cybersecurity blog , and CyberScoop, have raised questions about 尝补苍别鈥檚 , which at one point operated BreachForums. Cybersecurity analysts have 鈥渓oosely knit band of primarily English-speaking miscreants鈥� involved in hacking, extortion and 鈥渞eal-life violent crime for a price.鈥� 

Medhe of Cyble said his researchers have found no evidence that ShinyHunters had a role in the PowerSchool hack, noting that anybody can 鈥渃reate a fake email account鈥� and pretend an alliance with an international cybercrime syndicate. But the evidence makes clear that Lane 鈥渨asn鈥檛 acting alone,鈥� he said, theorizing that it鈥檚 only 鈥渁 matter of time鈥� before federal officials announce the indictment of his unnamed co-conspirator. 

After organizations fall prey to a data breach, it鈥檚 common for them to experience 鈥渟econdary victimization” where stolen records are leveraged multiple times by different hackers, said Yanna Papadodimitraki, a research associate at the . 

鈥淒ata can never be taken back in many ways,鈥� she said. 鈥淧robably, the students and the teachers will be having quite a lot to deal with in the years to come.鈥� 

鈥�Social relationships, albeit online, are key鈥�

The PowerSchool breach may be 尝补苍别鈥檚 biggest cyberattack, but the Cyble threat intelligence report indicates his entry into cybercrime began closer to home. 

The Lane-identified hacker aliases g0re and netsaosa for a cyberattack on the Massachusetts Interscholastic Athletic Association website, which stalled the release of the statewide brackets for upcoming  tournament games. The association that oversees high school sports was targeted, the threat actor at the time, because 鈥淚 was bored.鈥� 

When the hacker alerted the group to vulnerabilities on their site, 鈥渢hey ignored me. ignored me. ignored me.鈥�

Lane was 16 at the time. 

Lane is far to get caught up in organized cybercrime. The trope of a teenage hacker tapping away in his parents鈥� basement is . Indeed, many of the most devastating hacks in recent memory 鈥� including   鈥� have led to the . 

鈥淢ost of these criminals tend to have a better understanding of the local businesses, the local institutions, and what type of sensitive data they are likely to hold,鈥� Medhe said. 鈥淎nd they鈥檙e most likely to target some of these institutions that they know about before going global.鈥� 

The pathway to cybercrime for teens often begins in video gaming communities devoted to cheat codes that are used to modify the playing experience and gain an advantage, by the National Crime Agency in the United Kingdom. Such digital meetups can serve as a first stop before they move on to criminal forums that dispense 鈥渓ow-level hacking tools鈥� and where 鈥渟ocial relationships, albeit online, are key.鈥� 

The thrill of the chase and accumulating internet points in cybercrime forums 鈥� not money 鈥� are often prime motivators, according to the British law enforcement agency, which found that just a small number of hackers work their way up the ranks to 鈥渢he very technically skilled cybercriminal.鈥� 

, published in 2023 by researchers in the Netherlands, identified two dozen 鈥渞isk factors for cyber-offending,鈥� such as being a young male with 鈥渓ow self-control and deviant peers.鈥�

Youthful hackers generally turn to online communities 鈥渘ot only as a way to build expertise, but to gain a reputation, gain insights from others and buy and sell services,鈥� said Thomas Holt, the director of the Michigan State University Center for Cybercrime Investigation & Training, and the entry points and motives for teen hackers. In , Holt found young people 鈥渨hose peers used drugs, shoplifted and played computer games were more likely to engage in hacking.鈥� 

鈥淣ow you can pay for a denial of service attack, as an example, whereas 20 years ago you鈥檇 have to know how to run it yourself,鈥� Holt said, referring to a type of attack that overwhelms a computer network鈥檚 capacity and renders it unable to function. 鈥淎ll you need is an internet connection and some forums 鈥� maybe some YouTube videos 鈥� to become proficient, at least in today鈥檚 world.鈥� 

Papadodimitraki of the , whose research focuses on youth delinquency, has questioned the role video games play in cybercrime. Her own work points to many of the same factors that are correlated with other crimes, including poverty, trauma, poor social connections and school exclusion. 

鈥淏ut what we seem to be seeing when it comes to gaming and cybercrime is an overall interest in technology,鈥� she said. 鈥淪o gaming is just a part of that.鈥�

BreachForums user logs leaked in 2023 show the g0re account was created using a VPN to mask the hacker鈥檚 identity, according to a Cyble analysis of the data breach. The account, researchers found, was among the earliest BreachForums members, with User ID 17. The user鈥檚 鈥渓ast recorded activity,鈥� researchers found, pointed to the IP address of the Lane household in Sterling, Massachusetts. The lapse suggests 鈥渙perational security degradation over time,鈥� they wrote, and may have played a part in 尝补苍别鈥檚 ultimate capture.

Lane is accused of going to elaborate lengths with an Illinois-based co-conspirator to cover their tracks so that investigators “will literally find nothing.” Prosecutors allege Lane used an 鈥渁nonymized email address鈥� to communicate with breach victims and Signal, the encrypted messaging app, to communicate with the co-conspirator. The two discussed directing their criminal proceeds to cryptocurrency wallets, transferring those funds to anonymous virtual credit cards and wearing masks and gloves when taking that money from ATMs. They also talked about using money mules to withdraw the cash for them.

The Cyble threat intelligence report notes Lane was also active on Telegram, the privacy-branded messaging app that鈥檚 become a popular hangout for cybercriminals. 

“The sophistication and planning involved in his crimes and the steps he took to conceal his identity鈥攊ncluding identifying which victims to target, gaining access to their networks, negotiating ransom payments with professional cybersecurity companies, hiding the flow of funds from the ransom payments to himself and others 鈥� belies any argument that Lane was too young to understand what he was doing was wrong,” prosecutors allege.

Calling the cops

On one online forum similar to BreachForums, which is still in operation, PowerSchool exploits have been a subject of discussion for years 鈥� with student users seeking ways to change their grades and stay out of trouble with their parents. 

In one post, a user gave forum members instructions on how to spoof 鈥渢he painfully evil grade checking website,鈥� albeit temporarily, to 鈥渟how off or to prove to your mom that you鈥檙e a good student.鈥� 

The trick was a hit.

鈥淥MG dude i love you,鈥� one user wrote. 鈥淭his just saved my xbox till my school calls home.鈥� 

Bogieczyk, who played the video game Minecraft with Lane while in high school, recalled him taking Advanced Placement Computer Science courses and finding them 鈥渏ust really easy.鈥� She said she hasn鈥檛 visited Lane since the indictment but she has friends who have. One of his preoccupations, she said, has been his online reputation. News of his indictment led to 鈥渉ate online,鈥� including social media posts and negative comments on news articles. 

One of 尝补苍别鈥檚 former Assumption University professors, who asked not to be identified because he wasn鈥檛 authorized by the university to speak, said Lane was 鈥渧ery quiet鈥� in class and was surprised to learn the student, whose progress reports show he was an adept computer programmer, stood accused of a cybercrime. 

The professor said he received a general email from university administrators notifying the school community of FBI activity on campus related to cybersecurity. After news of the indictment broke, the instructor said he got an email from 尝补苍别鈥檚 personal account explaining why he was absent from class and that law enforcement had confiscated his devices.

Officials at Assumption University, a small, Catholic college with about 1,600 undergraduate students and a tiny computer science program, didn鈥檛 respond to requests for comment. 尝补苍别鈥檚 sentencing report notes he was attending Assumption on a partial scholarship, expected his college internships to pay off his student debt and aspired to work for Google.

In Sterling, the Lanes were described as 鈥渘ice neighbors鈥� who generally kept to themselves. A conversation with one neighbor was interrupted when two local police officers pulled onto the tree-lined street. Someone concerned about their privacy 鈥� Matthew Lane or his parents 鈥� had called in a complaint. 

鈥淭hey just called and they don鈥檛 have any comment and they just don鈥檛 want you here anymore,鈥� Officer Steve Mucci said. 鈥淵ou headed out?鈥�

The hackers鈥� new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth鈥檚 decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students鈥� and 9.5 million educators鈥� personal information.

It appears the cybercriminals 鈥� perhaps predictably 鈥� didn鈥檛 keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers鈥� demands to local educators will be shared with the state attorney general鈥檚 office, which is investigating the fallout from the December attack. 

鈥淎t the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,鈥� Green said. 鈥淯nfortunately, that, at least at this point, is proving to be incorrect.鈥� 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors鈥� direct outreach to schools 鈥渋n an attempt to extort them using data鈥� stolen during the December breach. Samples of data supplied to school leaders 鈥渕atch the data previously stolen in December,鈥� the company said. 

It referred to a 鈥渄ifficult decision,鈥� one its leadership team 鈥渄id not make lightly,鈥� to pay the ransom demand in the days after the attack, believing it was the best option to protect students鈥� records. Social Security numbers, special education records and detailed medical information.

鈥淎s is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,鈥� the company said in a statement on Wednesday. 鈥淲e sincerely regret these developments 鈥� it pains us that our customers are being threatened and re-victimized by bad actors.鈥�

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted 鈥渢hrough various emails,鈥� including to both their work and personal email addresses, seemingly based on the hackers鈥� ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were 鈥渕ade aware that the data was not destroyed鈥� when the threat actor contacted them directly. 

鈥淲e could not find any type of trend in who they picked to email. We tend to think it鈥檚 emails that they could publicly find and contacted that person,鈥� Wrenn said. 鈥淭his exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.鈥� 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool鈥檚 student information system. 

That鈥檚 about to change. Green said the state鈥檚 contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus 鈥� in part because of its promise of better cybersecurity practices. 

鈥淚t is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,鈥� Green said. 鈥渨e are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.鈥�

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working 鈥渃losely with our customers to support them.鈥�

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students鈥� and 9.5 million educators鈥� personal information. Though the company hasn鈥檛 acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

鈥淎t the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,鈥� attorney William Shinoff, whose firm represents the St. Croix Falls district, told 社区黑料 in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company 鈥渁cted swiftly and effectively to protect our customers in compliance with the law.鈥�

鈥淧owerSchool believes the claims are without merit and will defend itself,鈥� Keebler said. 鈥淗owever, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.鈥�

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach鈥檚 potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure 鈥� and failed to provide schools the services they were promised. 

鈥淎 cornerstone of the commercial relationship between鈥� the school district and the company was educators鈥� 鈥渞eliance on PowerSchool鈥檚 representation that it would adequately protect鈥� students鈥� and educators鈥� sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 鈥渉as done little to help鈥� the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 鈥渇ile thousands鈥� of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

鈥淲hat I can tell you is we鈥檝e already spoken to hundreds of districts,鈥� Shinoff said. 鈥淥ur hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.鈥� 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook鈥檚 and Instagram鈥檚 and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to 鈥渁n authorized support engineer鈥� to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August 鈥� months earlier than previously disclosed 鈥� but couldn鈥檛 say for certain it was by the same threat actors. 

The company 鈥渇ailed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,鈥� the complaint alleges. 鈥淪omething as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.鈥�

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to 社区黑料, Keebler, the PowerSchool spokesperson, said the company 鈥渉as and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.鈥澛�

鈥淧owerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,鈥� the statement continued. 鈥淗owever, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.鈥� 

鈥楧evil and the deep blue sea鈥�

Despite PowerSchool鈥檚 promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told 社区黑料. 

But because its student information system plays such a significant role in day-to-day operations 鈥� and contains so much information about students 鈥� he said that switching to a competitor could become a logistical nightmare. 

鈥淢any school districts are between the devil and the deep blue sea,鈥� Williams said. 鈥淢any of them don鈥檛 have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.鈥� 

While the company may not be a household name 鈥� save for a flood of recent press following the breach 鈥� its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America鈥檚 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation鈥檚 K-12 classrooms.

Williams is the author of the central to the Wisconsin district鈥檚 claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students鈥� information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with 鈥� 鈥� follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC鈥檚 reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to 鈥渁bide by and maintain adequate data security measures, consistent with industry standards鈥� for the storage of sensitive records. 

Williams accused the company of breaching those requirements 鈥� laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

鈥淲e just felt that at some point you have to police the process, at some point you have to draw a red line,鈥� Williams told 社区黑料. 鈥淲e鈥檝e got to protect the contract because it protects schools and it protects kids. So that鈥檚 not negotiable for us.鈥� 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool 鈥� and court-ordered accountability 鈥� to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

鈥淎t this point their word, to us, can鈥檛 be trusted,鈥� Shinoff said. 鈥淔or them to have someone that they鈥檙e reporting to for a period of time is something that鈥檚 essential 鈥� especially when we鈥檙e dealing with thousands and thousands of districts across the country.鈥�

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security 鈥� and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students鈥� personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 鈥渞elentless investment and focus on every element of security.鈥� 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 鈥渢o determine if they broke any laws.鈥�

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

鈥淪chool district leaders who we have spoken with raised serious concerns about delays in your company鈥檚 response to the cybersecurity incident, including delayed notifications to impacted schools,鈥� wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 鈥渁dult students and educators.鈥� Keeber, the PowerSchool spokesperson, said in the statement the company has seen 鈥渘o evidence of fraud or further misuse of the information involved to date.鈥� 

But the senators wrote that PowerSchool 鈥渉as not clearly communicated a date by which impacted individuals will receive鈥� the services. 

鈥淵our delayed and unclear communication is unacceptable,鈥� the letter continued, 鈥渆specially given the sensitive nature of the personal data that was stolen.鈥�

Information PowerSchool takes is 鈥榲irtually unlimited鈥�

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 鈥減artners鈥� with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

鈥淭he information PowerSchool takes from students is virtually unlimited,鈥� the complaint alleges. 鈥淚t includes everything from education records and behavioral history to health data and information about a child鈥檚 family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.鈥�

In a motion to dismiss the lawsuit, PowerSchool鈥檚 attorneys claimed Cherkin鈥檚 complaint relied on 鈥渂road, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.鈥� 

Keebler, the company spokesperson, denied Cherkin鈥檚 claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals 鈥� and should have been a red flag all along. She compared Powerschool鈥檚 business model to that of social media companies that are built to amass and monetize user data. 

鈥淚鈥檓 truly not at all shocked that this happened,鈥� she said of the breach. 鈥淭he only way, really, to keep data safe is to not collect it and stockpile it in the first place.鈥�

If so, your sensitive data 鈥� like Social聽Security聽numbers and medical records 鈥斅�. Their target was education technology behemoth PowerSchool, which provides a centralized system for reams of student data to damn near every聽school聽in America.

Given the cyberattack鈥檚 high stakes and its potential to harm millions of current and former students, I teamed up Wednesday with Doug Levin of the  to moderate a timely webinar about what happened, who was affected 鈥� and the steps school districts must take to keep their communities safe.

Concern about the PowerSchool breach is clearly high: Some 600 people tuned into the live event at one point and pummeled Levin and panelists Wesley Lombardo, technology director at Tennessee’s Maryville City Schools; Mark Racine, co-founder of RootED Solutions; and Amelia Vance, president of the Public Interest Privacy Center, with questions. 

PowerSchool declined our invitation to participate but sent a statement, saying it is 鈥渨orking to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.鈥�

The individual or group who hacked the ed tech giant has yet to be publicly identified.

Asked and answered: Why has the company鈥檚 security safeguards faced widespread scrutiny? What steps should parents take to keep their kids鈥� data secure? Will anyone be held accountable?

In the news

Oklahoma schools Superintendent Ryan Walters, who says undocumented immigrants have placed 鈥渟evere financial and operational strain鈥� on schools in his state, proposed rules requiring parents to show proof of citizenship or legal immigration status when enrolling their kids 鈥� a proposal that not only violates federal law, but is likely to keep some parents from sending their children to school. | 

• Not playing along: Leaders of the state鈥檚 two largest school districts 鈥� Oklahoma City and Tulsa 鈥� rebuked the proposal and said they would not collect students鈥� immigration information. Educators nationwide fear the incoming Trump administration could carry out arrests on campuses. | 
   
• Walters filed a $474 million federal lawsuit this week alleging immigration enforcement officials mismanaged the U.S.-Mexico border, leading to 鈥渟kyrocketing costs鈥� for Oklahoma schools required 鈥渢o accommodate an influx of non-citizen students.鈥� | 
   
• Timely resource guide: With ramped-up immigration enforcement on the horizon 鈥� and with many schools already sharing student information with ICE 鈥� here are the steps school administrators must take to comply with longstanding privacy and civil rights laws. | 

A federal judge in Kentucky struck down the Biden administration鈥檚 Title IX rules that enshrined civil rights protections for LGBTQ+ students in schools, siding with several conservative state attorneys general who argued that harassment of transgender students based on their gender identity doesn鈥檛 constitute sex discrimination. 

Fires throw L.A. schools into chaos: As fatal wildfires rage in California, the students and families of America鈥檚 second-largest school district have had their lives thrown into disarray. Schools serving thousands of students were badly damaged or destroyed. Many children have lost their homes. Hundreds of kids whose schools burned down returned to makeshift classrooms Wednesday after losing 鈥渢heir whole lifestyle in a matter of hours.鈥� |  

• At least seven public schools in Los Angeles that were destroyed, damaged or threatened by flames will remain closed, along with campuses in other districts. | 

Has TikTok鈥檚 time run out? With a national ban looming for the popular social media app, many teens say they鈥檙e ready to move on (and have already flocked to a replacement). | 

Instagram and Facebook parent company Meta restricted LGBTQ+-related content from teens鈥� accounts for months under its so-called sensitive content policy until the effort was exposed by journalist Taylor Lorenz. | 

The Federal Communications Commission on Thursday announced the participants in a $200 million pilot program to help聽schools聽and libraries bolster their cybersecurity defenses. They include 645聽schools聽and districts and 50 libraries. |聽

Scholastic falls to 鈥渇urry鈥� hackers:聽The education and publishing giant that brought us Harry Potter has fallen victim to a cyberattacker, who reportedly stole the records of some 8 million people. In an added twist, the culprit gave a shout-out to 鈥渢he puppygirl hacker polycule,鈥� an apparent reference to a hacker dating group interested in human-like animal characters. |聽

• Dig deeper: Here鈥檚 how AI is being used by cybercriminals to rob schools. |  

Not just in New Jersey:聽In a new survey, nearly a quarter of teachers said their聽schools聽are patrolled by drones and a third said their聽schools聽have surveillance cameras with facial recognition capabilities. |聽

The number of teens abstaining from drugs, alcohol and tobacco use has hit record highs, with experts calling the latest data unprecedented and unexpected. | 

ICYMI @The74

Emotional Support

New pup just dropped.

Meet Woodford, who, at just 9 weeks, has already aged like a fine bourbon. I鈥檓 told that Woody 鈥� and the duck, obviously 鈥� have come under the good care of 74 reporter Linda Jacobson鈥檚 daughter.