With so much of our data now stored digitally, it’s no surprise it’s become a massive target for more and more criminals. Among them is a 19-year-old college student from Massachusetts. Instead of focusing on his studies, Matthew Lane chose to dip his toes into cybercrime, a decision that led to major consequences. Lane was behind a data breach that impacted two companies, including the educational software giant PowerSchool. Now under arrest, he has agreed to plead guilty. As part of his plea deal, Lane won’t contest a sentence that could land him in prison for at least nine years and four months.
The Massachusetts man also confessed to how he pulled off the breach by simply testing a staff member’s username and password combination. That one lucky guess gave him access to personal information belonging to 62 million children stored by PowerSchool. Soon after the data breach, PowerSchool received an extortion demand for $2.85 million in Bitcoin. The company paid, hoping to prevent further fallout, but schools in Canada and North Carolina were still hit with threats from unknown individuals demanding money.
While court documents name Lane as the primary hacker, they also mention unnamed co-conspirators who targeted another company. The identities of those behind the extortion threats remain unclear.
News of the breach and Lane’s guilty plea hasn’t earned him much sympathy online. Despite being only 19, many people feel that what the Massachusetts man did was far too serious to be brushed off as a youthful mistake. For them, the scale of the data breach, which exposed personal information including Social Security numbers of over 60 million children, is simply too massive to overlook.
One user summed it up bluntly: “It’s textbook cybercrime and he probably took the plea so he wouldn’t get annihilated in court. His sentence will be less than a decade, which isn’t unreasonable considering the damage.”
Others questioned how such a breach was even possible in the first place. Many pointed fingers at PowerSchool’s security practices, especially after it was revealed that the hacker gained access by trying out a basic username and password combination. One Redditor asked, “You wanna tell me why an account with access to 60 million SSNs doesn’t have 2FA?”
Some people directly criticized PowerSchool, especially after their public statement saying, “It pains us that our customers are being threatened and re-victimized by bad actors.” Many found this statement inadequate since the company also shares responsibility for the data breach by failing to maintain strong security measures to protect their customers’ and children’s personal information.
