Matthew D. Lane, a 19-year-old student at Assumption University in Worcester, Massachusetts, has agreed to plead guilty to a series of federal cybercrime charges after orchestrating a sophisticated hacking and extortion scheme targeting two major U.S.-based companies.
Lane faces charges including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft, according to the U.S. Attorney’s Office for the District of Massachusetts.
Federal prosecutors allege that Lane, along with unnamed co-conspirators, infiltrated the computer networks of a U.S. telecommunications company and PowerSchool, a leading education technology provider whose software serves over 60 million students across North America.
The attacks, carried out between April and May 2024, resulted in the theft of millions of sensitive records containing confidential and personally identifiable information (PII) of students and teachers.
How the Cyber Extortion Scheme Unfolded
The Department of Justice describes a multi-stage attack. Lane first targeted the telecommunications company, stealing confidential customer data and demanding a $200,000 ransom in Bitcoin.
He threatened to publicly leak the data if his demands were not met, using encrypted messaging applications and anonymized email addresses to communicate and evade detection.
After this initial extortion attempt, Lane leveraged stolen login credentials from an employee at the telecom firm, who also worked as a contractor for PowerSchool, to gain unauthorized access to PowerSchool’s computer network.
The breach allowed Lane to exfiltrate vast quantities of PII, including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information, and passwords.
Lane then transferred the stolen data to a server he leased in Ukraine, escalating his demands by threatening to leak the information of more than 60 million students and 10 million teachers worldwide unless PowerSchool paid a ransom of approximately $2.85 million in Bitcoin.
In one message to a victim company, Lane wrote, “We are the only ones with a copy of this data now
Stop this nonsense, or] your executives and employees will see the same fate. Make the correct decision and pay the ransom. If you keep stalling, it will be leaked”.
Technical Terms and Legal Implications
This case involves several key cybercrime concepts:
- Cyber Extortion: A crime where attackers gain unauthorized access to sensitive data or systems and demand payment to prevent the release or destruction of that data. Ransomware and data-leak threats are common tactics.
- Protected Computers: Under U.S. law, a protected computer is any device used in interstate or foreign commerce or communication, including those located outside the U.S. but affecting U.S. commerce. Unauthorized access to such systems is a federal offense.
- Aggravated Identity Theft: This charge involves knowingly using another person’s personal identifying information to commit a felony, such as fraud or extortion.
If convicted, Lane faces up to five years in prison for each of the cyber extortion and unauthorized access charges, and a mandatory consecutive two-year sentence for aggravated identity theft, along with substantial fines.
The case underscores the growing threat of cyber extortion and the severe consequences for those who exploit digital vulnerabilities for personal gain.
The FBI and federal prosecutors have reiterated their commitment to aggressively pursuing cybercriminals, regardless of age or motivation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Lane faces charges including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft){kind=link}