College student sentenced to four years for PowerSchool cyberattack

A 19-year-old college student from Massachusetts received a four-year prison sentence for his role in a PowerSchool cyberattack that exposed data of millions of students and teachers.

Matthew D. Lane, of Worcester County, Massachusetts, has been sentenced by US District Judge Margaret Guzman for orchestrating a major attack on California-based PowerSchool, which is an education technology solutions provider for K-12 schools that serves over 60 million students worldwide.

Lane, who pleaded guilty in May 2025 to four federal charges, was also ordered to pay over $14 million in restitution and a $25,000 fine.

Together with several other accomplices, he reportedly used credentials stolen from a subcontractor to hack PowerSource customer support portal to access school databases containing personally identifiable information of 9.5 million teachers and 62.4 million students from 6,505 school districts globally.

The data included names, addresses, emails, phone numbers, dates of birth, student ID numbers, social security numbers, grade levels, school attended, limited medical alert information, residency status, and even disciplinary notes.

Threat actors then sent out ransom demands, which claimed to be from a hacker gang ShinyHunters, in the amount of $2.85 million in Bitcoin on December 28th.

PowerSchool, which provides data management and learning system products for over 15,000 schools in North America and beyond, chose to pay the ransom, although the exact amount paid remains undisclosed.

“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” Powerschool said.

PowerSchool had also previously acknowledged that despite the payment, multiple schools still received additional extortion attempts using stolen data from the December 2024 incident. At the time, the company reported the development to law enforcement both in the United States and in Canada and informed all PowerSchool SIS customers.

“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” they said in a statement, adding that they offered credit monitoring and identity protection services to students and faculty of PowerSchool SIS customers.

Although PowerSchool claimed that it had since improved its security controls, it was still sued by Texas Attorney General Ken Paxton “for failing to take reasonable measures” to protect sensitive information of Texas families and school districts.