PowerSchool data breach
Categories

PowerSchool Hacker Sentenced to Four Years After Massive Data Breach

  • Posted by Sean Doyle
  • Updated
  • 3 min

The PowerSchool hacker sentenced this week has been identified as 19-year-old Matthew D. Lane, a college student from Worcester, Massachusetts. Lane received a four-year prison term for orchestrating a large-scale cyberattack on education software provider PowerSchool in December 2024. The attack exposed sensitive data belonging to millions of students and teachers worldwide, leading to one of the largest education-related data breaches in recent history.

Judge Issues Prison Term and Heavy Fines

According to court documents, U.S. District Judge Margaret R. Guzman sentenced Lane to four years in prison. In addition to the prison sentence, Lane was ordered to pay $14 million in restitution and a $25,000 fine. Prosecutors described the PowerSchool hacker sentencing as a necessary step to deter future cyberattacks against critical educational systems that serve schools and families across the globe.

How the PowerSchool Breach Happened

The PowerSchool data breach occurred on December 19, 2024, when Lane and his accomplices used stolen subcontractor credentials to gain unauthorized access to the company’s PowerSource customer support portal. From there, they leveraged a maintenance tool to download entire school databases, compromising the personal information of 9.5 million teachers and 62.4 million students across 6,505 school districts worldwide.

Data stolen during the breach included full names, addresses, phone numbers, login credentials, Social Security numbers, parent and guardian details, and even medical information. Cybersecurity experts warned that this type of data could be used for identity theft, phishing campaigns, and financial fraud for years to come.

Ransom Demands and ShinyHunters Connection

Following the attack, Lane and his group demanded $2.85 million in Bitcoin as ransom on December 28, 2024. The ransom letters claimed to be from the well-known hacking collective ShinyHunters, which has been tied to numerous other high-profile breaches, including the AT&T 2022 breach that impacted over 100 million people and the Snowflake data theft incidents.

While PowerSchool reportedly paid a ransom to prevent the public release of stolen data, the exact amount remains undisclosed. Even after receiving payment, Lane and his co-conspirators attempted to extort individual school districts by threatening to leak student data unless additional payments were made. This tactic significantly worsened the impact of the breach on local communities and school systems.

Previous Breaches and Ongoing Lawsuits

Investigations revealed that the PowerSource platform had been compromised at least twice before in August and September 2024 using the same stolen credentials. However, it remains unclear whether Lane was responsible for all three breaches. Cybersecurity firm CrowdStrike was brought in to investigate but could not conclusively link the incidents to a single attacker.

The fallout from the breach continues to grow. In September 2025, Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool, accusing the company of failing to safeguard sensitive data belonging to Texas students and parents, and of misleading customers about its security practices. The legal battle highlights the broader accountability issues facing cloud service providers in the education sector.

Why the PowerSchool Hacker Sentencing Matters

The sentencing of Matthew Lane underscores the growing threat of cyberattacks targeting the education industry. With more than 18,000 customers and 60 million students relying on PowerSchool’s cloud-based services, the company’s breach demonstrates how vulnerabilities in one provider can have a ripple effect across thousands of schools worldwide.

Cybersecurity authorities have stressed the need for stronger authentication practices, timely patching of vulnerabilities, and greater investment in threat detection. The PowerSchool hacker sentencing serves as a warning to both would-be attackers and organizations that handle sensitive student and faculty data.

Key Takeaways

  • The PowerSchool hacker sentenced was identified as 19-year-old Matthew D. Lane, who received a four-year prison term.
  • The breach exposed the personal data of over 70 million students and teachers from more than 6,500 school districts.
  • Lane and his group demanded a $2.85 million Bitcoin ransom, claiming to act on behalf of ShinyHunters.
  • PowerSchool has since faced lawsuits, including a case filed by Texas officials, for failing to protect sensitive student data.
  • The case highlights the urgent need for improved cybersecurity in education technology providers.

Bottom line: The PowerSchool hacker sentencing marks a significant milestone in holding cybercriminals accountable. It also underscores how critical it is for schools, parents, and service providers to remain vigilant about data security in an increasingly digital education landscape.

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.