Introduction to the Case
A teenage university student from Massachusetts has agreed to plead guilty to charges in connection with the hacking and extortion of two U.S. companies, federal prosecutors say.
One of those companies is the education technology company PowerSchool, a person familiar with the matter told NBC10 Boston. The company disclosed a breach in early January — its software has been used by more than 18,000 schools to support over 60 million students across North America.
Details of the Charges
The U.S. Attorney’s Office for Massachusetts didn’t share the name of the company in announcing charges of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft against Matthew D. Lane, a 19-year-old from Sterling who’s attending Assumption University. But U.S. Attorney Leah Foley said in a statement that he "stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt."
Lane allegedly extorted a $200,000 ransom from a U.S. telecommunications company by threatening to share stolen customer data. Prosecutors said he replied to a question about whether paying the ransom would stop the extortion by saying, "We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked."
Extortion and Data Breach
He later used a stolen login to get into an education software and cloud storage company’s computer network, according to prosecutors, and moved personal identifying information of both teachers and students to a server he’d leased in Ukraine. That company later received threats that names, Social Security numbers and other information of over 60 million students and 10 million teachers would be leaked unless the company paid a ransom of 30 Bitcoin, or about $2.85 million, according to prosecutors and court documents.
A representative for PowerSchool said the company was aware of the filing and referred questions to prosecutors.
Response and Next Steps
NBC10 Boston has reached out to an attorney for Lane as well as Worcester’s Assumption University for comment.
A hearing for the plea agreement hasn’t yet been scheduled in federal court, prosecutors said.
The hack described in the court document matches a third-party assessment of the PowerSchool incident, NBC News reported.
Conclusion
The case highlights the severity of cybercrime and the importance of protecting sensitive information. The guilty plea and charges against Matthew D. Lane serve as a reminder of the consequences of such actions. As technology continues to evolve, it is crucial for companies and individuals to prioritize cybersecurity and take measures to prevent similar incidents.
FAQs
- Q: What companies were affected by the hacking incident?
A: Two U.S. companies were affected, including the education technology company PowerSchool and a U.S. telecommunications company. - Q: What charges did Matthew D. Lane face?
A: Lane faced charges of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. - Q: What was the outcome of the case?
A: Matthew D. Lane agreed to plead guilty to the charges. - Q: How many students and teachers were affected by the data breach?
A: Over 60 million students and 10 million teachers were affected by the breach. - Q: What was the demanded ransom for not leaking the stolen data?
A: The demanded ransom was 30 Bitcoin, or about $2.85 million.
