Article Details

US teen to plead guilty to extortion attack against PowerSchool. The 19-year-old and a partner first tried to extort an unnamed telco, but failed. A 19-year-old student has agreed to plead guilty to hacking into the systems of two companies as part of an extortion scheme, and The Register has learned that one of the targets was PowerSchool. In January, PowerSchool, which holds data on around 60 million North American kids and about 10 million teachers, disclosed a data breach. The education tech firm initially claimed it had paid for the stolen data to be deleted, but then later admitted the attackers hadn't held up their end of the deal, and the data was still out there. Matthew Lane, 19, a student at Assumption University in Massachusetts, was charged with conspiring to extort money from a telco and an unnamed school software supplier that held data on "more than 60 million students and 10 million teachers," according to the FBI. A source familiar with the matter confirmed to The Register that the second company was PowerSchool. Lane has agreed to plead guilty to four federal charges: cyber extortion, cyber extortion conspiracy, unauthorized access to protected computers, and aggravated identity theft. According to court documents, [PDF] in or around October 2022, an unknown individual gained unauthorized access to the systems of an unidentified US telecommunications company and stole confidential customer data. Prosecutors say that by April 2024, Lane and a co-conspirator tried to extort the telco for $200,000 in Bitcoin by threatening to leak the stolen data. The effort came across as amateurish, and the telco initially sought clarification on who actually possessed the data. "When you messaged us from this account back in November, you told us not to pay any ransom as multiple copies of the data were floating around. Now, you come to us asking to be paid. We need help to understand your position," reads a message from the telco to Lane. Lane and his unnamed partner discussed their response over Signal and sent the following message back to the telco. If you keep stalling, it will be leaked. Do not waste time "A member of our group (now handled with) split off with the data and claimed it as theirs. We eventually had him dealt with in the coming year," it read. "We are the only ones with a copy of this data now. Stop this nonsense and your executives and employees will see the same fate as he did. Make the correct decision and pay the ransom. If you keep stalling, it will be leaked. Do not waste time." It didn't work. In May, Lane messaged his partner, "we need to hack another ... company that'll pay." So in September, Lane used credentials assigned to a contractor working for a school software provider to access the company's systems and began harvesting user information. In December, he transferred the stolen data to a server he rented in Ukraine. On December 28, the software biz received a threat that the information would be leaked unless it paid 30 Bitcoin (worth around $2.85 million at the time). It's not stated how much the software biz paid out, but as part of his plea deal, Lane agreed to forfeit $160,981, proceeds tied to the extortion scheme. "Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars," said Kimberly Milka, acting special agent in charge at the FBI's Boston branch. Lane faces a possible maximum sentence of 17 years in prison and a fine of $250,000, plus three years of supervised release. Under the terms of his plea agreement [PDF], he faces a mandatory minimum of two years, with his final sentence to be determined by a federal judge.