Teen Hacker Jailed After PowerSchool Breach Exposes Millions of Student Records
Updated
Updated · WCVB Boston · Apr 14
Teen Hacker Jailed After PowerSchool Breach Exposes Millions of Student Records
9 articles · Updated · WCVB Boston · Apr 14
A 20-year-old Massachusetts student, Matthew Lane, has been sentenced to four years in federal prison for orchestrating a massive PowerSchool data breach.
Lane accessed sensitive data of 60 million children and 10 million teachers, extorting nearly $3 million in Bitcoin and exposing major vulnerabilities in education systems.
Authorities warn of a surge in teenage cybercrime, often rooted in gaming communities, and urge parents to monitor and engage with their children's online activities.
What legal accountability does a company face after a breach compromises millions of children?
Why did the largest breach of children's data hinge on a single password?
Is teen hacking a 'natural high' addiction or a crime glorified by online culture?
Can a hacker who compromised 71 million people ever be trusted to work in cybersecurity?
With millions of kids' data stolen, are credit freezes enough to prevent future identity theft?
How can we turn the unique skills of neurodivergent teens into a cybersecurity asset?
Inside the PowerSchool Cyberattack: 62 Million Records Stolen, $14M Restitution, and Youth Hacker Culture
Overview
In December 2024, Matthew Lane exploited stolen credentials to breach PowerSchool's system, which lacked multi-factor authentication, allowing attackers to access and steal sensitive data of over 62 million students and 9.5 million teachers. Lane demanded a $2.85 million ransom, which PowerSchool paid, but attackers still extorted individual schools afterward. Following his guilty plea, Lane was sentenced in June 2025 to four years in prison and ordered to pay $14 million in restitution. The breach exposed serious security gaps and systemic failures in edtech data governance, sparked ethical debates on youth cybercrime, and highlighted the urgent need for stronger security measures and early intervention to prevent future attacks.