School (in)Security is our biweekly briefing on the latest school safety news, vetted by Mark Keierleber. Subscribe here.
The Massachusetts teenager set to be sentenced next week for hacking California-based education technology behemoth PowerSchool was a “seasoned cybercriminal” who has targeted educational institutions, government agencies and corporations since 2021, my latest investigation reveals.
Good morning and thank you for tuning in for a special edition of the School (in)Security newsletter. Today, I turn your attention to Matthew Lane, who was a 19-year-old college freshman when he pleaded guilty earlier this year to carrying out a cyberattack on PowerSchool, stealing sensitive data from millions of students and teachers and leveraging it into a $3 million extortion scheme.
In my latest story published this morning, I reveal how Lane wasn’t just “a young kid who struck rich,” according to threat intelligence research conducted by the cybersecurity company Cyble and provided exclusively to The 74. The company’s findings, which mirror sentencing documents released by federal prosecutors on Wednesday, conclude that Lane used advanced techniques to take down his targets including PowerSchool — a cyberattack attack that represented “a predictable escalation rather than an isolated incident.”
Federal prosecutors used similar language, maintaining that Lane’s “crimes were not a mistake resulting from an isolated lapse in judgment,” but rather part of a pattern of criminal cyber activity that dates back to at least 2021.
Sign-up for the School (in)Security newsletter.
Get the most critical news and information about students’ rights, safety and well-being delivered straight to your inbox.
In an analysis of digital fingerprints and data breaches, Cyble analysts concluded that Lane had been engaged in cyberattacks going back to that same time period when he was still in high school. Targets included an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces, Cyble said. In Wednesday’s memo, prosecutors allege that Lane has hacked at least eight targets, including “foreign government entities.” To this day, prosecutors said, most of the millions of dollars he extorted remains unaccounted for.
In federal district court in Worcester, Massachusetts, on Tuesday, they will ask the judge to sentence Lane, who was known to many in his life as a soft-spoken gamer and skilled computer programmer, to seven years in prison and more than $14 million in restitution.