After pleading guilty to hacking and extorting from ed tech giant PowerSchool, 19-year-old Matthew Lane was sentenced Tuesday to four years in prison and nearly $14.1 million in restitution.
The Massachusetts college student was accused of using an employee’s credentials to gain unauthorized access to the cloud-based K-12 software provider’s network in September 2024 and extorting $2.85 million in Bitcoin from the company in December 2024, the U.S. Attorney’s Office for the District of Massachusetts said in May. PowerSchool wasn’t initially identified in legal documents, but was later confirmed to have been the victim.
Since PowerSchool began notifying districts of a data breach in January 2025, it’s been revealed that sensitive data was leaked for more than 60 million students and 10 million teachers. A court filing said Lane’s access to this student and teacher data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords.
Lane allegedly told PowerSchool that if it didn’t hand over the nearly $2.85 million ransom, he would leak the stolen information “worldwide.”
The breach shocked district leaders, as it seemed that PowerSchool had been doing all the right things to keep its data secure, said Doug Levin, co-founder and national director of the K12 Security Information eXchange, a national K-12 cybersecurity nonprofit. For instance, he said, PowerSchool had conducted audits and assured that its networks storing school districts’ information were secure before the 2024 data breach.
The company even publicly touted the importance of K-12 cybersecurity at the White House, he said.
PowerSchool is still facing multiple lawsuits that claim the company was negligent during the cyberattack and failed to provide timely notice to impacted users.
A PowerSchool spokesperson told K-12 Dive in a Thursday statement that the company “appreciates the efforts of the prosecutors and law enforcement who brought this individual to justice.” Since the data breach, the company said, it has strengthened its systems by adding more security layers and implementing time-based access controls.
Can't put the genie back in the bottle
Although Lane has been held accountable for the PowerSchool cyberattack and sentenced to prison, "the damage is done" from the leak of the school districts’ sensitive data, Levin said. “There’s no putting the genie back in the bottle.”
K-12 cybersecurity remains “an ongoing problem,” and cyberattacks against schools won’t stop just because someone was held accountable for the PowerSchool incident, Levin said.
Between July 2023 and December 2024, 82% of K-12 schools said they had experienced a cyber incident, according to a March report from the nonprofit Center for Internet Security.
As trust eroded, conversations shifted to ed tech
The PowerSchool data breach “fundamentally shook” school systems’ trust in big ed tech vendors, Levin said.
Before that incident, he said, a lot of the conversations in K-12 cybersecurity focused on how schools could better protect themselves through efforts like strengthening firewalls and implementing multifactor authentication.
While those are important strategies, the reality is that schools rely on a large number of vendors that hold their sensitive information. “Schools are only as strong as their weakest link,” Levin said, “and if it turns out the weakest link is a vendor, as we’ve seen in these cases, it causes folks to rethink what it means to be cybersecure.”
More questioning on districts’ data retention policies
In the PowerSchool case, some of the exposed data taken from school districts was decades old. That, Levin said, suggests that keeping data for extended periods of time may present an unacceptable level of risk — especially when there’s no way to reach people whose data may have been leaked.
As a result, K-12 leaders are talking more about how and whether to minimize the data collected — and how long to hold onto sensitive information.
At a minimum, Levin said, schools should consider ways to delete and archive older sensitive information — or at least prevent it from remaining available on the internet — to reduce risk to their community members.
At the federal level, Levin said, it appears officials have “dramatically pulled back support for schools and cybersecurity.” The White House and the Cybersecurity and Infrastructure Security Agency have shifted a lot more of the burden for cybersecurity to states and localities, including schools, he said.
As the federal government steps back, states are taking more responsibility by, for example, requiring schools to report cybersecurity incidents within a certain time frame or by establishing cybersecurity standards, Levin said.
The good news, Levin added, is that “in many cases, we're starting to see that states recognize this is an issue that they need to lean in on. And they need to ensure that public agencies are doing their part, but also that vendors and other suppliers to public agencies are just as critical … that they do their part as well.”
