Twenty-year-old Matthew Lane has publicly confirmed he is the threat actor behind the PowerSchool breach, one of the largest education data incidents on record. Speaking to ABC News ahead of reporting to federal prison in Connecticut, Lane confirmed he extorted millions in ransom from the California-based education software provider, whose platform serves more than 18,000 school districts globally. PowerSchool acknowledged paying an undisclosed ransom to prevent the data from being made public.

What Happened

In 2024, Lane used stolen employee credentials to gain unauthorized access to PowerSchool's systems. After exfiltrating a massive volume of student and teacher records, he transferred the data to a server he leased in Ukraine. Days after the exfiltration, PowerSchool received a ransom demand for $2.8 million in Bitcoin. The note was written to appear as though it originated from a well-known hacking group, a deception tactic designed to amplify pressure on the victim. PowerSchool paid an undisclosed amount, citing the need to protect affected individuals. By January 2025, school districts across San Diego County and beyond were notifying parents and staff that their personal information had been compromised.

What Was Taken

The breach exposed highly sensitive personally identifiable information for an estimated 60 million students and 10 million teachers across the United States, Canada, and other countries. Stolen records included Social Security numbers, dates of birth, and medical information. The combination of these data types creates significant downstream risk: Social Security numbers paired with birthdates enable identity fraud, while medical records can be leveraged for targeted phishing, insurance fraud, or coercion. The exposure of minors' data at this scale is particularly consequential, as children have no existing credit history to monitor and the harm may not surface for years.

Why It Matters

This incident is a case study in credential-based intrusion against a high-value aggregator. PowerSchool is not a single school's database; it is infrastructure for tens of thousands of institutions. A single compromised employee account yielded access to data on tens of millions of individuals across multiple countries. The willingness of a major vendor to pay ransom rather than risk data exposure validates the attacker's model and signals to other threat actors that education technology is a profitable target with a high likelihood of payment. The use of a false-flag attribution note, mimicking a known criminal group, also demonstrates that even unsophisticated lone actors now employ disinformation tactics to maximize leverage.

The Attack Technique

Lane's method was credential theft followed by data exfiltration, with no indication of a complex zero-day exploit. He obtained an employee's login credentials and used them to access PowerSchool's systems directly. The data was then moved to an offshore server before the ransom demand was issued. The attack required no advanced tooling: valid credentials against an internet-accessible system were sufficient to achieve full data access. This pattern, known as identity-based intrusion, accounts for the majority of major breaches. The use of a leased Ukrainian server for staging adds a layer of jurisdictional friction for investigators but did not ultimately prevent identification and prosecution.

What Organizations Should Do

  1. Enforce phishing-resistant MFA on all remote access. Stolen credentials alone should never be sufficient to authenticate. Hardware keys or passkey-based authentication eliminate the credential-theft attack path entirely.
  2. Audit and restrict privileged data access. A single employee account should not have read access to the full customer database. Apply least-privilege principles and segment data by role, geography, and need-to-know.
  3. Deploy data loss prevention controls. Large-volume exfiltration events produce detectable signals. Monitor for bulk exports, abnormal query volumes, and data transfers to external or cloud storage.
  4. Conduct third-party vendor risk assessments. If your institution uses PowerSchool or any similar aggregator, verify what data the vendor holds, how it is protected, and what breach notification SLAs are contractually required.
  5. Establish a tested incident response plan before an event. PowerSchool's decision to pay ransom was made under pressure without a clear alternative. Organizations that have pre-negotiated legal frameworks, offline backups, and communication templates are better positioned to resist extortion.
  6. Monitor dark web channels for credential exposure. Lane obtained working credentials before the breach. Services that track employee credential leaks in criminal forums can provide early warning before those credentials are weaponized.

Sources: Cybercriminal responsible for PowerSchool breach speaks out