Prosecutors are searching for a seven-year jail sentence for the 19-year-old Massachusetts man who pleaded responsible to hacking into an schooling know-how firm’s databases and stealing knowledge belonging to thousands and thousands of scholars and lecturers.
The sentencing suggestion for Matthew Lane relies on his historical past of allegedly hacking not less than seven different victims, together with international authorities entities, since 2021, in line with a sentencing memorandum filed Tuesday. He accessed databases belonging to the corporate PowerSchool that had data on greater than 60 million college students and 9 million lecturers.
Prosecutors alleged Lane acted out of greed and knew that what he was doing was fallacious, and so they cited his habits regardless of having “loving and nurturing” mother and father as additional proof that Lane ought to spend years behind bars.
Lane, who’s scheduled to be sentenced on October 14, allegedly advised PowerSchool that he would leak the Social Safety numbers of youngsters as younger as 5 and spoil the agency financially if it didn’t pay a ransom of 30 bitcoin (about $2.85 million on the time), in line with the memorandum.
“Ultimate be aware, we totally intend to destroy your organization and bankrupt it to the purpose of no absolute return if the ransom just isn’t paid,” Lane advised PowerSchool, in line with court docket paperwork.
The incident has value the ed tech large greater than $14 million because of the identification theft monitoring it has provided victims, along with an almost $3 million ransom, in line with the memorandum. Lane has paid again about $160,000 of the ransom, prosecutors mentioned.
Delicate knowledge, together with college students’ Social Safety numbers, particular schooling standing, medical circumstances and parental restraining orders, have been uncovered within the hack, which PowerSchool made public in January.
Prosecutors mentioned Lane used “subtle” ways to cowl his tracks, together with through the use of digital non-public networks, eSIMs, anonymized e mail addresses and cellphone numbers, stolen credentials and international servers.
A freshman at Assumption Faculty in Massachusetts, Lane allegedly used the ransom cash to purchase designer garments, diamond jewellery, luxurious rental residences and quick meals deliveries, prosecutors mentioned. The memorandum notes that he anticipated his school internship to cowl his restricted pupil debt and that he deliberate to work for Google, proof that he might have earned professional cash utilizing his cyber expertise.
Lane’s lawyer didn’t reply to requests for remark.
A spokesperson for PowerSchool mentioned the corporate is “dedicated to defending pupil knowledge and making certain the security of our programs.”
The proposed seven-year sentence additionally incorporates Lane’s responsible plea for hacking an unnamed wi-fi telecommunications firm.
In Could 2024, prosecutors say, Lane hacked the agency and demanded it pay a $200,000 ransom. On the time, the sentencing memorandum says, Lane advised a co-conspirator, “we have to hack one other shitty firm that[’]ll pay. [W]e want SSNs [social security numbers].”
Three months later, in August 2024, Lane allegedly broke into PowerSchool’s community.
By December 2024, Lane had leased a Ukraine-based server onto which he allegedly exfiltrated PowerSchool knowledge, together with Social Safety numbers.
Lane advised a girlfriend he can be working late the identical night time that the server was leased, saying, “I simply want to truly make $ for a second,” the sentencing memorandum says.
Prosecutors say Lane knew that what he was doing was fallacious, pointing to the truth that when he hacked the wi-fi telecommunications firm he advised a co-conspirator they need to use burner telephones, cover their IP addresses, switch cryptocurrency proceeds to nameless digital playing cards and put on masks and gloves when utilizing ATMs tied to the playing cards.
Lane advised his co-conspirator that in the event that they took these precautions legislation enforcement “will actually discover nothing,” in line with the sentencing memorandum.
Final month, Texas sued PowerSchool, saying the corporate broke state legal guidelines referring to misleading commerce practices and identification theft safety, together with by deceptive customers into believing its shoddy safety practices have been “state-of-the-art.”
PowerSchool has acknowledged the hack was enabled by the truth that it didn’t use multifactor authentication.
