A 19-year-old Massachusetts student has been sentenced to four years in prison for hacking into the PowerSchool education platform, which exposed the personal information of more than 70 million students and teachers worldwide. The incident was one of the largest in the field of educational technology in recent years. American student Matthew D. Lane of Worcester County, Massachusetts, pleaded guilty to hacking into the internal customer service portal of PowerSource, which is owned by PowerSchool, a provider of solutions for K-12 schools that serves more than 60 million users worldwide.
The attackers gained access to databases of 6,505 school districts, stealing confidential records on 9.5 million teachers and 62.4 million students. The stolen data included names, addresses, emails, dates of birth, school IDs, social security numbers, grades, and even medical notes and disciplinary actions.
After gaining access, the group of attackers sent out a ransom note signed by the notorious ShinyHunters group, demanding $2.85 million in Bitcoin. While PowerSchool did not disclose the exact amount of the ransom paid, the company confirmed that it had made concessions to the hackers “in the interest of the safety of students and school communities.”
Following the incident, some educational institutions received repeated threats demanding additional payments, even after making the initial payment. The company contacted law enforcement in the United States and Canada and informed all users of the potential risk.
PowerSchool is one of the largest developers of educational software in North America, serving more than 15,000 schools. The company supplies learning management systems and stores huge amounts of personal data.
In 2024, PowerSchool was already the victim of a similar attack, after which it promised to strengthen cyber security. Despite this, Texas Attorney General Ken Paxton filed a lawsuit against the company for “inadequate security and negligent storage of family and student data.” The case once again raised the issue of the vulnerability of educational systems, which are increasingly becoming targets for cybercriminals due to the large amount of confidential information that is highly valuable on the black market for data. The story of PowerSchool shows how important it is for educational institutions to implement modern cybersecurity tools and regularly check contractors who have access to internal systems. Even a single mistake by a vendor can lead to a leak of data for millions of people.
Today, digital security in education is not a technical detail, but a matter of trust between schools, children and their families.
