Computer hacker and former college student Matthew Lane — who was a teenager when he carried out a massive cyberattack on education technology company PowerSchool — was sentenced in federal court on Tuesday to four years in prison and ordered to pay more than $14 million in restitution. 

Lane, a former Assumption University freshman who federal prosecutors described as a sophisticated and experienced cybercriminal, told a federal judge that his crimes occurred during an “extremely dark time in my life,” but acknowledged, “I deserve to be punished.” In June, Lane pleaded guilty to what is widely considered the largest exposure of private student data in history, a breach that compromised the sensitive information of some 60 million students and 10 million educators.

“I robbed actual people and their families of their sense of security,” Lane, now 20, told U.S. District Court Judge Margaret Guzman, his shaggy hair obscuring his eyebrows and the tops of his glasses, adding he was “thankful I got caught.”

Lane said he takes “full responsibility” for his crimes but that he was “disconnected from reality” while he engaged in hacking. He has since become “sober not just from drugs, but from the internet as well,” he told Guzman.

Accompanied in court by family members and several friends, Lane broke down and sobbed after learning his sentence, which includes three years of supervised release and a $25,000 fine.

He was convicted of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft. Federal prosecutors were seeking a seven-year prison term, describing Lane in a sentencing memo as being motivated by greed and said the threat to Powerschool warned, â€œwe fully intend to destroy your company and bankrupt it to the point of no absolute return ” if it didn’t meet a $2.85 million ransom demand in Bitcoin.

ł˘˛š˛Ôąđ’s sentencing concludes a yearlong cybercrime saga, which began in September 2024 when prosecutors say he hacked into PowerSchool’s computer network and transferred stolen records to a leased server in Ukraine. About three months later, PowerSchool officials received the extortion demand to prevent sensitive student and teacher data — including the Social Security numbers of children as young as 5 — from being leaked “worldwide.” 

Lane also pleaded guilty to working with an unnamed co-conspirator from Illinois to extort $200,000 from an unnamed U.S.-based wireless telecommunications company between April and May 2024 before he discussed the “need to hack another shitty company that[’]ll pay” and set his sights on PowerSchool. 

Guzman, who appeared sympathetic to ł˘˛š˛Ôąđ’s young age at the time he carried out multiple cyberattacks, said the case should serve as a cautionary tale to parents everywhere and expressed alarm about the “breadth and reach of technology” to commit crimes anonymously. Guzman said the challenges Lane faced as a teenager, including social isolation and struggles to fit in with his peers, made him “vulnerable to falling through the rabbit hole.” 

Guzman said society can’t go back to the days of typewriters and television sets with just five channels. But parents have placed computers in their children’s bedrooms and provided cell phones to grade schoolers without proper guardrails. Lane, she said, won’t be the last one to exhibit “bravado behind the screen of a computer.” 

Defense attorney Sean Smith asked the judge to sentence Lane to three years in prison and three years of supervised release. Smith said Lane was “very much cognizant of the seriousness” of his offenses and that he pleaded guilty and “admitted fault almost from the get-go.” 

Smith said Lane was a teenager when the cyberattacks unfolded and had no previous convictions. Letters of support submitted by family members to the court made clear Lane was “a generous, loving, patient individual,” who grappled with loneliness, depression and anxiety.

The seriousness of ł˘˛š˛Ôąđ’s actions “can’t be overstated,” said Assistant U.S. Attorney Kristen Kearney, who called his behavior “calculated.” The PowerSchool data breach has caused real harm to millions of people, she said, who now face stifled job prospects, heightened insurance costs and other harms that will follow them “for the rest of their lives.” 

Kearney noted that Lane made several efforts to conceal his identity and avoid detection and was financially motivated: He desired designer clothes and jewelry, she said, and to “host parties at extravagant Airbnbs.” 

Lane “did not make a teenage mistake” or get “mixed up with the wrong crowd,” she argued, but carried out “carefully planned attacks” for financial gain. Personal statements that put Lane in a positive light, she said, showed he was living “a double life.” In the online world, she said, digital chat messages included racial slurs, antisemitism and threats of sexual violence. 

The prosecutor challenged ł˘˛š˛Ôąđ’s request for a three-year prison sentence, arguing that other cybercriminals could see it as the cost of doing business if they have millions of dollars in cryptocurrency waiting for them after their release. Lane returned about $160,000 to the government, according to a sentencing memo released last week, but roughly $3 million remains unaccounted for. 

Kearney also disputed Smith’s assertion that Lane was a first-time offender at the time of the PowerSchool breach, despite his absence of a criminal record. Last week, federal officials accused him of carrying out at least eight cyberattacks dating back to at least 2021 when he was still in high school.

Prosecutors said the PowerSchool attack resulted in more than $14 million in damages, including the ransom payment and identity theft services for the students and teachers who were victimized. 

In a statement to ĂŰĚŇÓ°ĘÓ on Tuesday, PowerSchool said it “appreciates the efforts of the prosecutors and law enforcement who brought this individual to justice” and that the company remains focused on “supporting our school partners and safeguarding student, family and educator data.”

After the sentencing hearing, a tearful Lane, who wasn’t immediately taken into custody, was embraced by friends and family members. 

“I’m sorry, guys,” he said to four friends outside the courtroom, exchanging hugs and handshakes before getting into an elevator. “I love you guys.”

The Massachusetts teenager set to be sentenced next week for  was a “seasoned cybercriminal” who has targeted educational institutions, government agencies and corporations since 2021, my latest investigation reveals. 

Good morning and thank you for tuning in for a special edition of . Today, I turn your attention to Matthew Lane, who was a 19-year-old college freshman when he pleaded guilty earlier this year to carrying out a cyberattack on PowerSchool, stealing sensitive data from millions of students and teachers and leveraging it into 

In my latest story published this morning, I reveal how  according to threat intelligence research conducted by the cybersecurity company Cyble and provided exclusively to ĂŰĚŇÓ°ĘÓ. The company’s findings, which mirror sentencing documents released by federal prosecutors on Wednesday, conclude that Lane used advanced techniques to take down his targets including PowerSchool — a cyberattack attack that represented “a predictable escalation rather than an isolated incident.”

Federal prosecutors used similar language, maintaining that ł˘˛š˛Ôąđ’s “crimes were not a mistake resulting from an isolated lapse in judgment,” but rather part of a pattern of criminal cyber activity that dates back to at least 2021.

In an analysis of digital fingerprints and data breaches, Cyble analysts concluded that Lane had been  when he was still in high school. Targets included an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces, Cyble said. In Wednesday’s memo, prosecutors allege that Lane has hacked at least eight targets, including “foreign government entities.” To this day, prosecutors said, most of the millions of dollars he extorted remains unaccounted for.

In federal district court in Worcester, Massachusetts, on Tuesday, they will ask the judge to sentence Lane, who was known to many in his life as a soft-spoken gamer and skilled computer programmer, to seven years in prison and more than $14 million in restitution. 

Sterling, Massachusetts 

Matthew Lane peeked his head through a window at his parents’ house on a wooded, winding road, and, with apprehension, opened the front door. 

The chime of the doorbell at the gray, two-story house, which sent the family dog into a fit, wasn’t expected — or welcomed. 

ł˘˛š˛Ôąđ’s had been the subject of speculation and intrigue since May when federal prosecutors announced the rail-thin, shaggy-haired 19-year-old college freshman had confessed to a ransomware attack on education technology behemoth PowerSchool. 

Federal prosecutors accused Lane of collaborating with at least one unnamed co-conspirator to steal the sensitive records of more than 60 million students and 10 million educators. Claiming to be part of a “notorious hacking group,” he used the stolen data to extort nearly $3 million from California-based PowerSchool. Though charging documents describe the education technology company as “Victim 2,” extensive details released by the government align with the company’s disclosure about the breach. 

Lane pleaded guilty to the breach — widely considered the largest exposure of private student data in history — in June and is scheduled to be sentenced in federal court on Tuesday. 

“Money and greed” motivated his actions, released on Wednesday that states Lane wanted “to buy designer clothes, diamond jewelry and luxury vehicles” while spending funds on “extravagant rental apartments and near daily fast-food delivery.” Lane returned about $160,000 to the government, but roughly $3 million remains unaccounted for, according to the sentencing report.

Federal prosecutors, who charged him with computer fraud and aggravated identity theft, are seeking a seven-year prison sentence and more than $14 million in restitution.

His “crimes were not a mistake resulting from an isolated lapse in judgment,” the memo alleges, but rather part of a pattern of criminal cyber activity that dates back to at least 2021, when he was still in high school. His targets include at least eight victims total, “ranging from a school athletic association to private companies to foreign governments.” 

Open-source reporting and a threat intelligence report obtained by ĂŰĚŇÓ°ĘÓ from cybersecurity firm Cyble reveal details of what that past cyber crime life looked like. They provide evidence that , who was known on the Worcester, Massachusetts, campus for being socially reserved, took on flamboyant, meme-inspired personas in online cybercrime communities that were highly active for years. 

In the physical world, Lane appeared to keep a low profile around town — and he hoped to keep it that way. 

“Please leave” Lane told a reporter who traveled to his hometown in August to learn more about the teenager described by federal prosecutors as “hiding behind his keyboard” to carry out “get rich quick” cyberattacks.

ł˘˛š˛Ôąđ’s attorney, Sean Smith, didn’t respond to requests for comment.

Prosecutors said Lane “grew up in a safe, small town” with what the teenager himself described as “loving and nurturing parents” and close relationships with all his family members. It was here in Sterling — a middle-class enclave of fewer than 8,000 residents — where neighbors watched a parade of Federal Bureau of Investigation agents park outside the Lane residence and conduct an early-morning raid this spring.

For cybersecurity professionals following the PowerSchool case, ł˘˛š˛Ôąđ’s indictment, which was publicized by federal law enforcement as a major score in their crackdown on cybercrime rings, . Among them, to a network of young, for and

Cyble leverages open-source intelligence techniques and proprietary tools to track the online behaviors of threat actors and help businesses manage their cyber risks. The firm provided threat intelligence research exclusively to ĂŰĚŇÓ°ĘÓ that aligns with prosecutors’ assertions in ł˘˛š˛Ôąđ’s sentencing report. 

Cyble researchers identified digital personas it connected to Lane and tracked their account behaviors on a cybercrime forum and across the web. These threat-actor accounts “systematically targeted educational institutions, government agencies and corporate networks since 2021,” citing the same year as federal prosecutors. 

These earlier hacks and data breaches, Cyble said, affected an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces. 

To bring down targets without detection, the threat actor behind the accounts leveraged the techniques of “experienced hackers,” Cyble Chief Product Officer Kaustubh Medhe said. The PowerSchool hack was “a predictable escalation rather than an isolated incident,” Cyble analysts concluded, and was not the work of a “first-time offender” but rather “a seasoned cybercriminal.” 

“We wouldn’t treat him like an amateur,” Medhe said. “In no way can we say that he was just a young kid who struck rich.”

The sentencing report similarly describes ł˘˛š˛Ôąđ’s conduct as “sophisticated, involving virtual private networks, eSIMs (a digital, more secure version of a physical card), anonymized email addresses and phone numbers, stolen credentials and foreign servers.”

Federal prosecutors accused Lane of working with a co-conspirator to extort $200,000 from a U.S.-based wireless telecommunications company before discussing the “need to hack another shitty company that[’]ll pay.” 

PowerSchool became that next victim, prosecutors say.

The extortion pipeline

Online fingerprints that Cyble used to connect the digital aliases “,” “netsaosa,” “fuckmarykill” and others to Lane show they have been exploiting vulnerabilities since the defendant was barely old enough to drive. Then the hacker bragged about it. 

On a now-defunct online cybercrime marketplace, that security researchers pegged to Lane, in part from an exposed IP address,  appeared to boast of attention-grabbing exploits: “ive been on news sites a few times,” g0re wrote in a signature line. 

As news of ł˘˛š˛Ôąđ’s connection to the PowerSchool case circulated around Sterling, neighbors said they were thankful  he wasn’t arrested for dealing drugs. But few people knew the young man accused of carrying out the crime. 

“I’ve never heard of him, but he can go to hell,” said one patron at B-Man’s 140 Tavern, a biker bar on the outskirts of town that’s known as a hub for local gossip. A police department dispatcher said she didn’t know anything about the case beyond the highlights that made the local news and the executive director of the local public access television station said he was similarly out of the loop. 

To people who knew Lane, the indictment was a shock. Neighbors, former classmates and a college professor described him as a soft-spoken gamer and a skilled computer programmer. 

One former classmate, Quinton Brien, said Lane didn’t “seem interested in school” and recalled the high schooler selling nicotine vapes to his underage classmates. His class portraits appear in the regional high school yearbook, but he doesn’t show up as participating in any sports teams or extracurricular clubs. 

High school friend Pia Bogieczyk said Lane is “kind of goofy” and introverted. The two bonded over the video games Minecraft and Fortnite, Bogieczyk said, and although her friend was a computer wiz, she didn’t expect him to get caught up in cybercrime. 

“I figured he would be good enough at computer stuff to do that, if that makes sense,” she told ĂŰĚŇÓ°ĘÓ, but “I didn’t think he would be using his skills for malicious purposes.”

On X, attributed to Lane offers insights into his personality — and his connections. The profile features a hatred of Hallmark Christmas movies, a disclosure of being “mentally ill,” a love for video games and a deep interest in anime — especially a dystopian Japanese cartoon about a lonely girl who immerses herself in an interconnected and increasingly strange digital world. 

The account also for Conor Fitzpatrick, who was a New York teenager when he , an online community where hackers sold stolen data and hacking tools. Fitzpatrick was and in September was for launching what federal officials called “one of the world’s largest English language hacking forums.” BreachForums, which has suffered several data breaches itself, has been  

Cyble analysts found these online aliases’ forays into hacking began with benign efforts to identify and report computer security flaws before progressing over several years to leaking original data breaches “and ultimately to extortion.” 

‘A notch in his hacking belt’

When federal officials announced , the Department of Justice accused the teenager of using stolen credentials in September 2024 to hack into PowerSchool’s computer network and transfer sensitive files to a leased server in Ukraine. On the night he leased the server, Lane told his girlfriend he was “gonna be on the laptop” because “I just need to actually make $ for a second,” according to the sentencing report.

About three months later, in December, PowerSchool officials received a demand for about $2.85 million in Bitcoin to prevent sensitive student and teacher data — including the Social Security numbers of children as young as 5 — from being leaked “worldwide.” 

“Final note, we fully intend to destroy your company and bankrupt it to the point of no absolute return if the ransom is not paid,” the hacker warned PowerSchool, according to the sentencing memo. The attack cost the company more than $14 million, according to the court documents, including the ransom payment and identity theft services for the students and teachers who were victimized. 

The cybercrime was “a serious attack,” U.S. Attorney Leah Foley said in a press release, and that Lane “instilled fear in parents that their kids’ information had been leaked into the hands of criminals — all to put a notch in his hacking belt.”  

In interviews with federal law enforcement after they searched his college dorm, Lane initially “fabricated a story about receiving packages of cash,” denied engaging in extortion “and only admitted his conduct when faced with his indisputable text messages,” according to charging documents. 

The PowerSchool data breach made international headlines earlier this year in part because it encompassed highly sensitive records about students, including their mental health and . The company, acquired by the Boston-based private equity firm Bain Capital for $5.6 billion last year, operates a digital platform that helps schools track students’ attendance, grades and other data. More than 18,000 educational institutions globally and 90 of the 100 largest U.S. school districts rely on PowerSchool software, the company claims. 

The company, which has faced criticism for delays in notifying affected students and educators about the ransomware attack, was hit with dozens of lawsuits over its failure to keep sensitive data secure. In September, Texas Attorney General Ken Paxton announced a lawsuit against the vendor, accusing it of about the strength of its cybersecurity features. 

PowerSchool is “committed to protecting student data and ensuring the safety of our systems,” a company spokesperson said this week in a statement to ĂŰĚŇÓ°ĘÓ.

“Following the 2024 security incident, we promptly notified our customers and provided ongoing updates as new information became available,” the statement reads. “We continue to work closely with affected districts and law enforcement to ensure transparency and accountability.”

PowerSchool , but quickly backtracked to disclose it paid the cybercriminals an unspecified extortion demand to keep students’ sensitive records from spreading online. 

Then, local school leaders in several states . In May, district administrators reported receiving ransom demands for cryptocurrency payments to stop their stolen PowerSchool records from being exposed. In North Carolina, the state education department received a demand from a threat actor a cybercrime group that’s taken credit for .

That email, obtained by the cybersecurity blog , and CyberScoop, have raised questions about ł˘˛š˛Ôąđ’s , which at one point operated BreachForums. Cybersecurity analysts have “loosely knit band of primarily English-speaking miscreants” involved in hacking, extortion and “real-life violent crime for a price.” 

Medhe of Cyble said his researchers have found no evidence that ShinyHunters had a role in the PowerSchool hack, noting that anybody can “create a fake email account” and pretend an alliance with an international cybercrime syndicate. But the evidence makes clear that Lane “wasn’t acting alone,” he said, theorizing that it’s only “a matter of time” before federal officials announce the indictment of his unnamed co-conspirator. 

After organizations fall prey to a data breach, it’s common for them to experience “secondary victimization” where stolen records are leveraged multiple times by different hackers, said Yanna Papadodimitraki, a research associate at the . 

“Data can never be taken back in many ways,” she said. “Probably, the students and the teachers will be having quite a lot to deal with in the years to come.” 

‘Social relationships, albeit online, are key’

The PowerSchool breach may be ł˘˛š˛Ôąđ’s biggest cyberattack, but the Cyble threat intelligence report indicates his entry into cybercrime began closer to home. 

The Lane-identified hacker aliases g0re and netsaosa for a cyberattack on the Massachusetts Interscholastic Athletic Association website, which stalled the release of the statewide brackets for upcoming  tournament games. The association that oversees high school sports was targeted, the threat actor at the time, because “I was bored.” 

When the hacker alerted the group to vulnerabilities on their site, “they ignored me. ignored me. ignored me.”

Lane was 16 at the time. 

Lane is far to get caught up in organized cybercrime. The trope of a teenage hacker tapping away in his parents’ basement is . Indeed, many of the most devastating hacks in recent memory — including   — have led to the . 

“Most of these criminals tend to have a better understanding of the local businesses, the local institutions, and what type of sensitive data they are likely to hold,” Medhe said. “And they’re most likely to target some of these institutions that they know about before going global.” 

The pathway to cybercrime for teens often begins in video gaming communities devoted to cheat codes that are used to modify the playing experience and gain an advantage, by the National Crime Agency in the United Kingdom. Such digital meetups can serve as a first stop before they move on to criminal forums that dispense “low-level hacking tools” and where “social relationships, albeit online, are key.” 

The thrill of the chase and accumulating internet points in cybercrime forums — not money — are often prime motivators, according to the British law enforcement agency, which found that just a small number of hackers work their way up the ranks to “the very technically skilled cybercriminal.” 

, published in 2023 by researchers in the Netherlands, identified two dozen “risk factors for cyber-offending,” such as being a young male with “low self-control and deviant peers.”

Youthful hackers generally turn to online communities “not only as a way to build expertise, but to gain a reputation, gain insights from others and buy and sell services,” said Thomas Holt, the director of the Michigan State University Center for Cybercrime Investigation & Training, and the entry points and motives for teen hackers. In , Holt found young people “whose peers used drugs, shoplifted and played computer games were more likely to engage in hacking.” 

“Now you can pay for a denial of service attack, as an example, whereas 20 years ago you’d have to know how to run it yourself,” Holt said, referring to a type of attack that overwhelms a computer network’s capacity and renders it unable to function. “All you need is an internet connection and some forums — maybe some YouTube videos — to become proficient, at least in today’s world.” 

Papadodimitraki of the , whose research focuses on youth delinquency, has questioned the role video games play in cybercrime. Her own work points to many of the same factors that are correlated with other crimes, including poverty, trauma, poor social connections and school exclusion. 

“But what we seem to be seeing when it comes to gaming and cybercrime is an overall interest in technology,” she said. “So gaming is just a part of that.”

BreachForums user logs leaked in 2023 show the g0re account was created using a VPN to mask the hacker’s identity, according to a Cyble analysis of the data breach. The account, researchers found, was among the earliest BreachForums members, with User ID 17. The user’s “last recorded activity,” researchers found, pointed to the IP address of the Lane household in Sterling, Massachusetts. The lapse suggests “operational security degradation over time,” they wrote, and may have played a part in ł˘˛š˛Ôąđ’s ultimate capture.

Lane is accused of going to elaborate lengths with an Illinois-based co-conspirator to cover their tracks so that investigators “will literally find nothing.” Prosecutors allege Lane used an “anonymized email address” to communicate with breach victims and Signal, the encrypted messaging app, to communicate with the co-conspirator. The two discussed directing their criminal proceeds to cryptocurrency wallets, transferring those funds to anonymous virtual credit cards and wearing masks and gloves when taking that money from ATMs. They also talked about using money mules to withdraw the cash for them.

The Cyble threat intelligence report notes Lane was also active on Telegram, the privacy-branded messaging app that’s become a popular hangout for cybercriminals. 

“The sophistication and planning involved in his crimes and the steps he took to conceal his identity—including identifying which victims to target, gaining access to their networks, negotiating ransom payments with professional cybersecurity companies, hiding the flow of funds from the ransom payments to himself and others — belies any argument that Lane was too young to understand what he was doing was wrong,” prosecutors allege.

Calling the cops

On one online forum similar to BreachForums, which is still in operation, PowerSchool exploits have been a subject of discussion for years — with student users seeking ways to change their grades and stay out of trouble with their parents. 

In one post, a user gave forum members instructions on how to spoof “the painfully evil grade checking website,” albeit temporarily, to “show off or to prove to your mom that you’re a good student.” 

The trick was a hit.

“OMG dude i love you,” one user wrote. “This just saved my xbox till my school calls home.” 

Bogieczyk, who played the video game Minecraft with Lane while in high school, recalled him taking Advanced Placement Computer Science courses and finding them “just really easy.” She said she hasn’t visited Lane since the indictment but she has friends who have. One of his preoccupations, she said, has been his online reputation. News of his indictment led to “hate online,” including social media posts and negative comments on news articles. 

One of ł˘˛š˛Ôąđ’s former Assumption University professors, who asked not to be identified because he wasn’t authorized by the university to speak, said Lane was “very quiet” in class and was surprised to learn the student, whose progress reports show he was an adept computer programmer, stood accused of a cybercrime. 

The professor said he received a general email from university administrators notifying the school community of FBI activity on campus related to cybersecurity. After news of the indictment broke, the instructor said he got an email from ł˘˛š˛Ôąđ’s personal account explaining why he was absent from class and that law enforcement had confiscated his devices.

Officials at Assumption University, a small, Catholic college with about 1,600 undergraduate students and a tiny computer science program, didn’t respond to requests for comment. ł˘˛š˛Ôąđ’s sentencing report notes he was attending Assumption on a partial scholarship, expected his college internships to pay off his student debt and aspired to work for Google.

In Sterling, the Lanes were described as “nice neighbors” who generally kept to themselves. A conversation with one neighbor was interrupted when two local police officers pulled onto the tree-lined street. Someone concerned about their privacy — Matthew Lane or his parents — had called in a complaint. 

“They just called and they don’t have any comment and they just don’t want you here anymore,” Officer Steve Mucci said. “You headed out?”

The hackers’ new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth’s decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students’ and 9.5 million educators’ personal information.

It appears the cybercriminals — perhaps predictably — didn’t keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers’ demands to local educators will be shared with the state attorney general’s office, which is investigating the fallout from the December attack. 

“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said. “Unfortunately, that, at least at this point, is proving to be incorrect.” 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors’ direct outreach to schools “in an attempt to extort them using data” stolen during the December breach. Samples of data supplied to school leaders “match the data previously stolen in December,” the company said. 

It referred to a “difficult decision,” one its leadership team “did not make lightly,” to pay the ransom demand in the days after the attack, believing it was the best option to protect students’ records. Social Security numbers, special education records and detailed medical information.

“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said in a statement on Wednesday. “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted “through various emails,” including to both their work and personal email addresses, seemingly based on the hackers’ ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were “made aware that the data was not destroyed” when the threat actor contacted them directly. 

“We could not find any type of trend in who they picked to email. We tend to think it’s emails that they could publicly find and contacted that person,” Wrenn said. “This exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.” 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool’s student information system. 

That’s about to change. Green said the state’s contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus — in part because of its promise of better cybersecurity practices. 

“It is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,” Green said. “we are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.”

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working “closely with our customers to support them.”

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students’ and 9.5 million educators’ personal information. Though the company hasn’t acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

“At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,” attorney William Shinoff, whose firm represents the St. Croix Falls district, told ĂŰĚŇÓ°ĘÓ in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company “acted swiftly and effectively to protect our customers in compliance with the law.”

“PowerSchool believes the claims are without merit and will defend itself,” Keebler said. “However, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.”

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach’s potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised. 

“A cornerstone of the commercial relationship between” the school district and the company was educators’ “reliance on PowerSchool’s representation that it would adequately protect” students’ and educators’ sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool “has done little to help” the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to “file thousands” of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

“What I can tell you is we’ve already spoken to hundreds of districts,” Shinoff said. “Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.” 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook’s and Instagram’s and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to “an authorized support engineer” to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August — months earlier than previously disclosed — but couldn’t say for certain it was by the same threat actors. 

The company “failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,” the complaint alleges. “Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.”

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to ĂŰĚŇÓ°ĘÓ, Keebler, the PowerSchool spokesperson, said the company “has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.” 

“PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,” the statement continued. “However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.” 

‘Devil and the deep blue sea’

Despite PowerSchool’s promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told ĂŰĚŇÓ°ĘÓ. 

But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare. 

“Many school districts are between the devil and the deep blue sea,” Williams said. “Many of them don’t have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.” 

While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America’s 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation’s K-12 classrooms.

Williams is the author of the central to the Wisconsin district’s claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students’ information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — — follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC’s reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to “abide by and maintain adequate data security measures, consistent with industry standards” for the storage of sensitive records. 

Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

“We just felt that at some point you have to police the process, at some point you have to draw a red line,” Williams told ĂŰĚŇÓ°ĘÓ. “We’ve got to protect the contract because it protects schools and it protects kids. So that’s not negotiable for us.” 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

“At this point their word, to us, can’t be trusted,” Shinoff said. “For them to have someone that they’re reporting to for a period of time is something that’s essential — especially when we’re dealing with thousands and thousands of districts across the country.”

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students’ personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a “relentless investment and focus on every element of security.” 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, “to determine if they broke any laws.”

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

“School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools,” wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to “adult students and educators.” Keeber, the PowerSchool spokesperson, said in the statement the company has seen “no evidence of fraud or further misuse of the information involved to date.” 

But the senators wrote that PowerSchool “has not clearly communicated a date by which impacted individuals will receive” the services. 

“Your delayed and unclear communication is unacceptable,” the letter continued, “especially given the sensitive nature of the personal data that was stolen.”

Information PowerSchool takes is ‘virtually unlimited’

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party “partners” with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

“The information PowerSchool takes from students is virtually unlimited,” the complaint alleges. “It includes everything from education records and behavioral history to health data and information about a child’s family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.”

In a motion to dismiss the lawsuit, PowerSchool’s attorneys claimed Cherkin’s complaint relied on “broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.” 

Keebler, the company spokesperson, denied Cherkin’s claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool’s business model to that of social media companies that are built to amass and monetize user data. 

“I’m truly not at all shocked that this happened,” she said of the breach. “The only way, really, to keep data safe is to not collect it and stockpile it in the first place.”

If so, your sensitive data — like Social Security numbers and medical records — . Their target was education technology behemoth PowerSchool, which provides a centralized system for reams of student data to damn near every school in America.

Given the cyberattack’s high stakes and its potential to harm millions of current and former students, I teamed up Wednesday with Doug Levin of the  to moderate a timely webinar about what happened, who was affected — and the steps school districts must take to keep their communities safe.

Concern about the PowerSchool breach is clearly high: Some 600 people tuned into the live event at one point and pummeled Levin and panelists Wesley Lombardo, technology director at Tennessee’s Maryville City Schools; Mark Racine, co-founder of RootED Solutions; and Amelia Vance, president of the Public Interest Privacy Center, with questions. 

PowerSchool declined our invitation to participate but sent a statement, saying it is “working to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.”

The individual or group who hacked the ed tech giant has yet to be publicly identified.

Asked and answered: Why has the company’s security safeguards faced widespread scrutiny? What steps should parents take to keep their kids’ data secure? Will anyone be held accountable?

In the news

Oklahoma schools Superintendent Ryan Walters, who says undocumented immigrants have placed “severe financial and operational strain” on schools in his state, proposed rules requiring parents to show proof of citizenship or legal immigration status when enrolling their kids — a proposal that not only violates federal law, but is likely to keep some parents from sending their children to school. | 

• Not playing along: Leaders of the state’s two largest school districts — Oklahoma City and Tulsa — rebuked the proposal and said they would not collect students’ immigration information. Educators nationwide fear the incoming Trump administration could carry out arrests on campuses. | 
   
• Walters filed a $474 million federal lawsuit this week alleging immigration enforcement officials mismanaged the U.S.-Mexico border, leading to “skyrocketing costs” for Oklahoma schools required “to accommodate an influx of non-citizen students.” | 
   
• Timely resource guide: With ramped-up immigration enforcement on the horizon — and with many schools already sharing student information with ICE — here are the steps school administrators must take to comply with longstanding privacy and civil rights laws. | 

A federal judge in Kentucky struck down the Biden administration’s Title IX rules that enshrined civil rights protections for LGBTQ+ students in schools, siding with several conservative state attorneys general who argued that harassment of transgender students based on their gender identity doesn’t constitute sex discrimination. 

Fires throw L.A. schools into chaos: As fatal wildfires rage in California, the students and families of America’s second-largest school district have had their lives thrown into disarray. Schools serving thousands of students were badly damaged or destroyed. Many children have lost their homes. Hundreds of kids whose schools burned down returned to makeshift classrooms Wednesday after losing “their whole lifestyle in a matter of hours.” |  

• At least seven public schools in Los Angeles that were destroyed, damaged or threatened by flames will remain closed, along with campuses in other districts. | 

Has TikTok’s time run out? With a national ban looming for the popular social media app, many teens say they’re ready to move on (and have already flocked to a replacement). | 

Instagram and Facebook parent company Meta restricted LGBTQ+-related content from teens’ accounts for months under its so-called sensitive content policy until the effort was exposed by journalist Taylor Lorenz. | 

The Federal Communications Commission on Thursday announced the participants in a $200 million pilot program to help schools and libraries bolster their cybersecurity defenses. They include 645 schools and districts and 50 libraries. | 

Scholastic falls to “furry” hackers: The education and publishing giant that brought us Harry Potter has fallen victim to a cyberattacker, who reportedly stole the records of some 8 million people. In an added twist, the culprit gave a shout-out to “the puppygirl hacker polycule,” an apparent reference to a hacker dating group interested in human-like animal characters. | 

• Dig deeper: Here’s how AI is being used by cybercriminals to rob schools. |  

Not just in New Jersey: In a new survey, nearly a quarter of teachers said their schools are patrolled by drones and a third said their schools have surveillance cameras with facial recognition capabilities. | 

The number of teens abstaining from drugs, alcohol and tobacco use has hit record highs, with experts calling the latest data unprecedented and unexpected. | 

ICYMI @The74

Emotional Support

New pup just dropped.

Meet Woodford, who, at just 9 weeks, has already aged like a fine bourbon. I’m told that Woody — and the duck, obviously — have come under the good care of 74 reporter Linda Jacobson’s daughter.