The U.S. Attorney’s Office for the District of Massachusetts announced yesterday that Matthew D. Lane, 19, a student at Assumption University in Worcester, Mass., was charged and has agreed to plead guilty in connection with hacking into the computer networks of two U.S.-based companies and extorting the companies for ransoms.
The two companies were not named in the Information or Plea Agreement, but the second victim is PowerSchool, the EdTech vendor that announced a major incident affecting more than 60 million students and approximately 10 million school personnel nationwide.
Lane agreed to plead guilty to one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft. A plea hearing has not yet been scheduled by the Court.
According to court filings, Lane obtained the login credentials of an employee of one of PowerSchool’s contractors. The contractor firm was not named, but the employee’s credentials enabled Lane to access PowerSchool’s network and begin to download data from schools using PowerSchool’s platform and service. PowerSchool did not seem to have detected any breach of their system until they were contacted the hacker(s) with a ransom demand in December.
Lane faces up to 5 years in prison for each of Counts 1-3, and then a mandatory 2-year sentence for aggravated identity theft that cannot be served concurrently with the other sentences. He will also be making restitution, forfeiting assets, and getting supervised release for three years following release from prison.
PowerSchool recently admitted that they had paid an extortion demand when they were contacted by the hacker(s). The amount they paid was not disclosed, but court filings indicate that Lane and co-conspirators sought $2.85 million. In exchange for payment, Lane assured PowerSchool that he had deleted all the stolen data, but months later, the state of North Carolina and some districts received extortion demands with proof of data possession.
Lane was not charged with any involvement in the recent (second) round of extortion attempts, and the identity of the person or persons responsible for the second round has not been confirmed.
