A student from Massachusetts is set to admit guilt in a significant federal case involving the hacking and extortion of a major educational technology firm, as confirmed by prosecutors on Tuesday.
Matthew D. Lane, aged 19, allegedly exploited stolen login credentials to infiltrate the systems of a prominent software provider that caters to educational institutions across North America and beyond. This breach reportedly compromised the personal data of over 60 million students and 10 million educators.
The compromised data included sensitive information such as names, addresses, phone numbers, Social Security numbers, medical records, and academic performance. In some instances, the hackers accessed decades’ worth of historical student records.
While the specific company involved has not been disclosed, federal prosecutors provided details that align closely with a data breach reported by a well-known education software company, which acknowledged in January that it had been targeted by hackers as early as August and September 2024. This breach primarily impacted schools in the United States and Canada that utilize the software for managing student records, attendance, and health information.
According to prosecutors, Lane collaborated with an unidentified accomplice from Illinois to extort approximately $2.85 million in cryptocurrency from the educational software provider, as detailed in the criminal complaint.
The software company confirmed in January that it had made a payment to the hackers to ensure the deletion of the stolen data, although it did not disclose the exact amount. Recently, several school districts reported receiving extortion threats from individuals claiming that the stolen data had not been destroyed. The company clarified that these threats were not linked to a new incident, as the data samples matched those previously stolen in December.
Initial reports regarding Lane’s plea agreement were made by a major news outlet.
A spokesperson for the software company acknowledged awareness of the legal proceedings but referred further inquiries to the U.S. Attorney’s Office for Massachusetts, which opted not to disclose the identities of the victims involved.
When questioned, the spokesperson did not contest the ransom amount cited by prosecutors.
In addition to the current charges, Lane is also accused of hacking and extorting another entity, identified by prosecutors as a telecommunications provider in the U.S., although the name of this company was not revealed in the plea agreement.
Lane’s legal representative did not respond to requests for comments regarding the case.
This article has been updated to include a response from the U.S. Attorney’s Office for Massachusetts.