Introduction to the Case
A teenage university student from Massachusetts has agreed to plead guilty to charges in connection with the hacking and extortion of two U.S. companies, federal prosecutors say.
One of those companies is the education technology company PowerSchool, a person familiar with the matter told NBC10 Boston. The company disclosed a breach in early January — its software has been used by more than 18,000 schools to support over 60 million students across North America.
Charges Against the Student
The U.S. Attorney’s Office for Massachusetts didn’t share the name of the company in announcing charges of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft against Matthew D. Lane, a 19-year-old from Sterling who’s attending Assumption University. But U.S. Attorney Leah Foley said in a statement that he "stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt."
Extortion and Hacking Allegations
Lane allegedly extorted a $200,000 ransom from a U.S. telecommunications company by threatening to share stolen customer data. Prosecutors said he replied to a question about whether paying the ransom would stop the extortion by saying, "We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked."
Impact on Educational Institutions
He later used a stolen login to get into an education software and cloud storage company’s computer network, according to prosecutors, and moved personal identifying information of both teachers and students to a server he’d leased in Ukraine. That company later received threats that names, Social Security numbers and other information of over 60 million students and 10 million teachers would be leaked unless the company paid a ransom of 30 Bitcoin, or about $2.85 million, according to prosecutors and court documents.
Company Response and Next Steps
A representative for PowerSchool said the company was aware of the filing and referred questions to prosecutors. NBC10 Boston has reached out to an attorney for Lane as well as Worcester’s Assumption University for comment. A hearing for the plea agreement hasn’t yet been scheduled in federal court, prosecutors said. The hack described in the court document matches a third-party assessment of the PowerSchool incident, NBC News reported.
Conclusion
The case highlights the growing concern of cybersecurity threats in educational institutions and the importance of protecting sensitive information. The guilty plea and upcoming hearing will provide more insight into the severity of the hacking incident and the measures being taken to prevent such incidents in the future.
FAQs
- Q: What companies were affected by the hacking incident?
A: Two U.S. companies, including the education technology company PowerSchool, were affected. - Q: What charges did Matthew D. Lane agree to plead guilty to?
A: Lane agreed to plead guilty to charges of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. - Q: What was the motive behind the hacking incident?
A: According to prosecutors, Lane’s motive was to impose substantial financial costs on his victims and instill fear in parents that their kids’ information had been leaked. - Q: What is the current status of the case?
A: A hearing for the plea agreement hasn’t yet been scheduled in federal court.
