Matthew Lane texted a journalist one line the morning his parents drove him to a federal prison in Connecticut. He wrote that he was afraid. Sad. Really, aside from the part where he wasn’t, he was just a kid. He had stealthily entered the back door of a company that houses the academic and personal records of almost every public school student in the US a year prior, when he was still a teenager hunched over a laptop in his college dorm.
Until you sit with the numbers from the PowerSchool breach, they seem almost cartoonish. 60 million kids. Ten million educators. Social Security numbers, medical records, and family information are examples of data that never expires and follows a seven-year-old into adulthood. Since then, school boards and investors have been using the same calculations to determine the true cost of the cleanup. To be honest, no one truly knows yet.
| Field | Details |
|---|---|
| Name | Matthew D. Lane |
| Age at Sentencing | 20 |
| Hometown | Sterling, Massachusetts |
| Former School | Assumption University, Worcester, Mass. |
| Charges | Cyber extortion, aggravated identity theft, unauthorized computer access |
| Plea | Guilty (June 2024) |
| Sentence | Four years in federal prison |
| Primary Target | PowerSchool — used by roughly 80% of North American school districts |
| Ransom Paid | $2.85 million in Bitcoin |
| People Exposed | More than 60 million students and 10 million teachers |
| Investigating Agency | FBI Boston Field Office |
| Breach Disclosed | January 2025 |
| Reported To Prison | November 2025, Federal Bureau of Prisons facility, Connecticut |
| Origin of Skills | Roblox cheat forums, hacking message boards |
PowerSchool removed the threat by paying $2.85 million in Bitcoin. That portion is simple. Everything that followed is what isn’t. In the months since, districts in Toronto, North Carolina, Massachusetts, and numerous other locations have hired forensic companies, purchased identity-theft monitoring for families, revised vendor contracts, and watched court depositions. The downstream bill, which ultimately ends up on local property tax bills and superintendents, has been conservatively estimated to be in the hundreds of millions. After class-action settlements are cleared, some analysts predict that it will eventually surpass a billion. It’s still unclear how much of it will be covered by insurance.
In Lane’s story, an odd detail keeps coming up. Roblox was where he began. A child who is bored and wants to cheat at a kid’s game is drawn to forums where strangers have posted images of money on bedspreads. Contrary to what parents would like to think, there is less time between that and a White House Situation Room briefing. Reporters have been informed by FBI agents that they have questioned suspects as young as 14.
A 15-year-old from Illinois was taken into custody last year for an alleged attack that cost MGM Resorts over $100 million. It’s difficult to ignore how the financial harm grows more quickly than the criminal does as you watch this play out.
The fallout has been somewhat costly for the larger market. The value of ed-tech has decreased. In the K–12 sector, insurance rates for cyber coverage have increased, sometimes doubling at renewal. It is being said that smaller districts, which are already under pressure, cannot afford the policies that are most important to them. According to security executives I’ve spoken with, the PowerSchool case marked a turning point in American education when cybersecurity was viewed as a structural cost of doing business rather than an IT line item.
By all accounts, Lane seems to be sincerely sorry. “Disgusting,” he said. “Greedy.” He expressed gratitude to ABC News for the FBI’s presence. It’s another matter entirely whether that repentance matters to a parent in Sacramento whose child’s records are currently circulating through illegal markets. The funds are no longer available. The information is not returning. Another adolescent is currently opening a forum somewhere, observing the same flashing pictures of money and pondering how difficult it might actually be.