A single set of stolen login credentials helped a 20-year-old walk off with the private records of roughly 70 million people tied to American schools—and the scariest part is how ordinary the entry point was.
Quick Take
- Matthew Lane, a Massachusetts college student, confessed to leading a ransomware attack on PowerSchool, a company used by most North American school districts.
- Investigators say Lane and a co-conspirator used contractor credentials found online to reach deeply sensitive student and teacher data.
- The breach exposed the real-world cost of “data everywhere” schooling: SSNs, birth dates, grades, and even medical information caught in the blast radius.
- Lane pleaded guilty and was sentenced to four years in federal prison, plus more than $14 million in restitution.
- His first public interview framed hacking as an “addiction,” reigniting debate over deterrence, parenting, and the soft underbelly of modern education tech.
The PowerSchool breach showed how “big” hacks often start small
Lane’s account and the court record point to a familiar modern pattern: the most damaging cyberattacks don’t begin with movie-style brilliance, but with access that should have been shut down.
In fall 2024, Lane and an unnamed co-conspirator allegedly got into PowerSchool using stolen contractor credentials that were already circulating online.
From there, they reportedly stole a staggering mix of personal and academic data and demanded about $3 million in Bitcoin.
PowerSchool sits in a uniquely tempting position because it functions like a digital main office for schools.
When a vendor serves a large share of districts, a breach can ripple across thousands of communities in a single day. Families often think of schools as low-risk compared to banks or hospitals.
Cybercriminals think the opposite: schools must keep operating, administrators face public pressure fast, and the data—especially SSNs tied to children—stays useful for years.
“Addicted to hacking” isn’t an excuse, but it is a warning label
Lane told ABC News he felt addicted to hacking, compared the thrill to drugs, and described spending on clothes, jewelry, and drugs.
Readers over 40 have heard criminals blame impulses forever, so skepticism is healthy.
Still, the addiction framing matters because it describes a motivation that doesn’t look like old-school fraud.
Some young offenders chase status, speed, and domination more than money, and that makes them unpredictable. Unpredictable attackers don’t stop when they “get enough.”
Lane’s background adds a sharper edge: he studied cybersecurity and computer science, yet crossed the line repeatedly, starting as a teen.
That detail undercuts the comforting myth that “if we just teach kids tech, they’ll use it responsibly.” Skill without character is a loaded weapon.
ABC News speaks with a young hacker about what experts call a wide-ranging menace: a new generation of tech-savvy teens who are uniquely dangerous and surprisingly young.
Read more: https://t.co/dT7i0OBzz3 pic.twitter.com/VPmlS8zvzK
— ABC News (@ABC) April 14, 2026
The victims weren’t corporations; they were children with decades of exposure
The most consequential detail in this case is the kind of data taken. A stolen credit card can get canceled. A stolen Social Security number attached to a child can sit quietly until adulthood, then surface as a wrecked credit file, a fraudulent tax return, or a synthetic identity.
Reports described compromised information, including SSNs, dates of birth, grades, and medical details. That mix turns a school database into a lifelong vulnerability, and families never consented to carry that burden.
Local reporting in the Chicago area captured the emotional punch: parents freezing credit, trying to protect kids who can’t even spell “equifax” yet.
That’s the hidden cost of digitizing everything in education with too little discipline about what must be collected, how long it should be kept, and who gets access.
Convenience won. Now families pay. The practical lesson sounds unglamorous but saves futures: minimize data, limit access, and assume every credential will leak.
Prison time signals deterrence, but restitution and reform do the heavy lifting
Lane pleaded guilty in 2025 to charges that included unauthorized access, identity theft, and cyber extortion, then received a four-year federal prison sentence in November 2025 plus more than $14 million in restitution.
The sentence matters because deterrence matters. A culture that treats cybercrime like a clever prank invites copycats. Lane himself reportedly said he was thankful he got caught and that he would not have stopped—an argument for firm enforcement, not softer handling.
Restitution, though, raises the real-world question: how does a young offender ever repay damage at this scale? The answer is he probably can’t, at least not fully.
That reality should push policy toward prevention: tighter vendor security requirements, real audits, credential hygiene, and consequences for organizations that treat student data like an unlimited resource.
What parents, schools, and vendors should take from Lane’s “cautionary tale.”
Lane’s story will tempt some people to focus on the psychology of one young man, but the bigger plot sits in the infrastructure.
Schools rely on sprawling third-party ecosystems: contractors, integrations, logins that never die, and systems built for ease, not resilience.
Attackers don’t need to “hack the school.” They hack the weak link attached to the school. The most common-sense fix is boring and effective: reduce the number of vendors, enforce least-privilege access, and rotate credentials like your community depends on it.
'Addicted to hacking': Young hacker behind historic breach speaks out for 1st time, before reporting to prison – ABC News via @ABC – https://t.co/vhwD4zDNNy
— Kev (@blu_kryptonian) April 14, 2026
Parents also deserve an honest playbook. Ask your district what data vendors hold, what gets encrypted, and how long records persist after graduation.
Freeze your child’s credit when breaches hit, and keep documentation. Teach teens that hacking isn’t “curiosity” when it harms people; it’s theft with a keyboard.
Lane’s interview lands because it’s candid, but the takeaway stays simple: accountability protects the innocent, and prevention beats regret every time.
