Teen Hacker EXPOSED! PowerSchool Breach Puts 60M Kids at Risk | Protect Your Children Online Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Teen Hacker EXPOSED! PowerSchool Breach Puts 60M Kids at Risk | Protect Your Children Online

June 11, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 6 • Episode 87

Teen Hacker EXPOSED! PowerSchool Breach Puts 60M Kids at Risk | Protect Your Children Online

🚨 60 Million Students Exposed in PowerSchool Cyber Attack — What Parents Need to Know NOW

A 19-year-old hacker named Matthew D. Lane pulled off one of the largest education data breaches ever, targeting PowerSchool and exposing the personal information of over 60 million students and educators across North America. This real cybercrime story dives deep into the extortion scheme, how the breach happened, what this means for your child's identity safety, and the urgent steps parents and schools must take to protect student data right now.

🎙️ From the Cyber Crime Junkies Podcast – True Cybercrime in the Classroom.

⏱️ Chapters:

00:00 Teen Hacker Matthew Lane: Rise of a Digital Criminal
06:39 PowerSchool Breach Details: How the Attack Happened
12:55 Ransom Demands & The Cyber Extortion Scheme
18:18 Legal Fallout: What Happened to the Hacker
24:05 School Data Security Fails: What It Means for You
30:43 Education Cybersecurity: What Must Change Now

✅ Learn How To:

Protect your child's data online
Spot the red flags of school-targeted ransomware
Take real steps to prevent identity theft in education

🔗 More from Cyber Crime Junkies:

🎧 Listen to the audio episode of our podcast: available everywhere.
📬 Subscribe for weekly true cybercrime breakdowns.

#PowerSchoolBreach #ProtectKidsOnline #CybercrimeJunkies #K12DataBreach #StudentDataPrivacy #EducationCyberSecurity #RealCybercrimeStory #MatthewLaneHacker #RansomwareAttack

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Teen Hacker EXPOSED! PowerSchool Breach Puts 60M Kids at Risk | Protect Your Children Online

🚨 60 Million Students Exposed in PowerSchool Cyber Attack — What Parents Need to Know NOW

🎙️ From the Cyber Crime Junkies Podcast – True Cybercrime in the Classroom.

⏱️ Chapters:

✅ Learn How To:

Protect your child's data online
Spot the red flags of school-targeted ransomware
Take real steps to prevent identity theft in education

🔗 More from Cyber Crime Junkies:

🎧 Listen to the audio episode of our podcast: available everywhere.
📬 Subscribe for weekly true cybercrime breakdowns.

#PowerSchoolBreach #ProtectKidsOnline #CybercrimeJunkies #K12DataBreach #StudentDataPrivacy #EducationCyberSecurity #RealCybercrimeStory #MatthewLaneHacker #RansomwareAttack

Host (00:17.848)
Today's episode brings us to Sterling, Massachusetts. What if I told you a quiet, shy boy living with his parents in an East Coast small town suburb, fresh out of high school, just 19 years old, just starting as a college freshman, but he wasn't like all other college freshmen. This boy, Matthew Lane, hacked into some large organizations, working with other young hackers across the country and extorted the victims

for millions. Then one morning he got a loud knock at the door and he wound up being arrested. While he had succeeded in extorting both organizations, he did so at the price of affecting the medical and financial lives of 60 million students, teachers, and staff in the K-12 organizations and that education K-12 space all across North America. This isn't fiction.

This is federal court. This is the story of how to protect children online. The power school breach. Small talk sucks, so let's dive in.

Host (01:32.429)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

Host (01:51.969)
Meet Matthew D. Lane, teenager, freshman student at Assumption University, and until recently, a virtual ghost on the internet. From Sterling, Massachusetts, Lane wasn't known for much. No public social profiles, no news articles, not even a student spotlight. Just your typical quiet freshman. Until he wasn't.

Host (02:23.425)
In April, 2024, Lane and his still unidentified co-conspirator from California, Lane was over in Sterling, Massachusetts at the time, they launched a full blown extortion campaign against a U.S. telecommunications company. A telecom hack happened between April and May of this past year, 2024. Lane conspired with his partner.

to extort $200,000 from this telecommunications firm, threatening to leak stolen customer data. He personally sent extortion threats and tried to use encrypted apps to anonymize his identity. He entered the extortion game that month in April, 2024. There's no records of him being involved in hacking prior, at least none that have come out yet. And in his efforts, he was attempting to extort...

this US-based telecom company for $200,000. It tied back to data that was previously stolen back in October 2022, purportedly by another member of Lane's hacking group. The US telecom group did not comply, even though Lane lowered the ransom down to $75,000. Undeterred, Lane told his hacking group that, we need to hack another.

another company that'll really pay this time." So they collected what they could from the telco and set their eyes on a bigger prize. He had told the telco when he was negotiating his extortion with him, he said, quote, stop this nonsense or your executives and your employees will see the same fate. Unquote.

He used encrypted signal chats, anonymous emails, and classic hacker scare tactics. And it worked. The company ultimately paid off. But then he set his sights higher. And for a freshman kid in his first year of school, this was right at the beginning. And he set his sights extremely high. Well, here comes the real

Host (04:43.308)
jaw dropper. In September 2024, used stolen credentials. He gathered those stolen credentials, the stolen passwords, the stolen login information, either through a phishing campaign or he bought it online from an initial access broker. We've talked about IABs, initial access brokers, before. What they do is they gain entry or they find compromised credentials and then they sell them in marketplaces online.

And they're just not part of like a ransomware group or an attacking group going after them. They just sell the initial access. That's why they're called initial access brokers. And they'll sell for three, $5,000 and then more organized, more mercenary groups will buy that access and then go and attack the actual victim. So here it's speculative, but that's what it clearly seems in the industry. They're saying that happened.

And he did it to breach a very, very large organization, not just the regional telco that they were demanding a couple hundred grand for and took a lot less. This one involved power school, the software provider that's used by over 18,000 school districts and over 60 million students across North America. Before I share the result of our research, let me ask you, did you know

that a single set of compromised credentials could expose the personal data of over 60 million students and teachers? How could a lack of multi-factor authentication and standard real-time threat detection allow hackers to breach one of the nation's largest school information systems? After just a few months into 2025, the recent hack of the US EdTech giant Power School is on track to be one of the

biggest educational data breaches in recent years. PowerSchool provides K-12 software to all of those students, 18,000 different schools throughout Canada and the United States, and they support some approximately 60 million students across North America. They first disclosed their data breach in early this year, January 2025. But what we're about to see is

Host (07:09.376)
The breach and the compromise occurred a lot longer, a lot earlier, and sat there undetected for a while. Power School was once owned by Apple. It was sold by Apple in the early 2000s, and it was publicly traded. And then they got bought out. They had Vista Equity Partners as investors. In October of 2024, right as this all was going on, Bain Capital, the

infamous Bain Capital, the global investment firm, they bought Power School for $5.6 billion and took them private.

Host (07:52.524)
A California based company said an unknown hacker used a single compromised credential, meaning one person's login information. That's it. That's what that means in English. And from there, they breached its customer support portal and stayed inside for over a hundred days. Undetected. We talk about this all the time. The importance of real time detection.

I invite the listeners to freaking Google it. You can Google how long are hackers inside my network undetected and you will be mind blown by the answer. So here they were inside over a hundred days, totally undetected. Multiple investigations indicate that the credentials used to access PowerSchool's PowerSource customer support portal had been available on the dark web for a considerable time.

before the December 2024 incident. This suggests that the credential was compromised in an earlier breach or via phishing and then leaked online, just like we just explained through the initial access brokers. The result, well, it was pretty clear. Prior credentials of Power School were leaked online and then predating this was a prior breach or phishing. Password reuse is a very common cause of this.

Now once inside the power source tool inside of power school, the attacker exploited Matthew Lane, the 19 year old kid, exploited a maintenance tool designed for power school engineers, allowing them to access customer student information instances, SIS instances, which are student information system. Think of everything involving a student.

medical records, the emotional things, the outbursts, the grades, the health care information, the parents, the next of kin, the emergency contacts, all of that. This access that Matthew Lane and his counterpart gained facilitated the extraction of data from student and teacher database tables. Extraction, exfiltration, all fancy words for stealing. So back in

Host (10:18.268)
August 16th of 2024, the initial unauthorized access occurred and all of that remained undetected by PowerSchool until late December. So from August 16th all the way to late December. On September 17th, 2024, a second unauthorized access occurred with the same credentials. Again, completely undetected by PowerSchool.

And all of this happened months before the breach was detected. So what were they able to access? What is taken from the students, teachers, and staff? Well, students and faculty staff members, full names, their physical addresses, their home addresses, their phone numbers, their passwords for logging in.

And still it's unclear what will happen to the leaked sensitive data of over 60 million students and 10 million teachers. The breaches resulted in over 100 districts suing Power School and several districts being contacted with follow-up extortion threats. The court documents that have been involved in these cases, we've gone through all of them, we're going to talk about them just briefly in a second. We're not going to get into the legal minutiae that would be dry.

But the court documents suggest that Power School didn't know about the data breach for over 100 days until Lane, Matthew Lane, that 19 year old from Sterling, Massachusetts, until he began extorting the company on December 28th when Power School first said it learned of the incident. It seems like their first awareness of this is when he starts extorting them at the end of December, right after Christmas.

So how did the attack happen? We've kind of gone over this. The early investigation into the attack provides some clues, namely credential theft. They compromised or used credentials to access PowerSchool's PowerSource customer service portal. It's not.

Host (12:28.31)
totally clear how they were able to access the compromise of the credentials, though credential theft is really common. It can happen when you click on a phishing email. It can happen various other ways by reusing passwords and being involved in other breaches. Credentials can be potentially stolen in a number of different ways, including phishing and social engineering attacks. And then after that, the unauthorized access occurs. The PowerSource customer support portal

that the cyber attacker access. It contained that maintenance tool that allowed power school engineers to access customer student information instances in order for them to be able to support and troubles troubleshoot performance issues. Think like this power schools. They're providing their software to 18,000 school districts across North America. When a school district has problems accessing something or something isn't configured right, the

PowerSchool IT team, internal team, needs to use this tool so that they can deal with the customer support and they can make changes and configurations and stuff in order to repair it. While Matthew Lane and his counterpart got access, unauthorized access, and were able to use that tool, which allowed them to touch 18,000 different school districts and all of the students, teachers, and staff of all of them.

It's a major, major breach. Once inside the system, they accessed and exported the data management customer support tool to extract the data from PowerSchool student information students and the teachers database tables. So by accessing this PowerSource instance, they were able to get names, addresses, social security numbers, but they were also able to get this medical information.

parent contacts, even login passwords. It exposed a lot of sensitive information for kids. Special education status, student special ed development plans, and diagnosis, mental health data, parental and student legal proceedings, custody proceedings, otherwise sealed information like custody agreements, restraining orders, and other legal information are all exposed on the dark web now.

Host (14:54.986)
Medical records, social security numbers like we mentioned, home addresses, home and phone cell numbers, right? First, full names of students, parents and teachers, and then all of the medical and mental health data. Testing records, student grades, right? There is a medical alert field inside of Power School that contain health information. Parents wanted their students' schools to be aware.

When asked why it had not listed special education status, custody agreements and disciplinary notes in its original notice about what data had been exposed, Power School was far less than transparent. Their spokesman had said the fields are not created by Power School and were customized add-ons put in place by schools. But it's still involved in this breach and should be explained.

Adam, for example, Adam Larson, an assistant superintendent at an Illinois school district that got breached here, who also works as a data consultant for the schools, said a handful of his school district clients had sensitive student mental health and special education data all exposed from this power school breach. So what did Matthew Lane and his counterpart do with it? Well, they siphoned off all that data and stored it on a rented server in the Ukraine.

I you not. And it gets worse. the US prosecuting attorney Foley wrote in a court filing that Lane had access to the company's student and teacher data, including names, email addresses, and listed all everything that I just mentioned. He allegedly told the company, Power School, that if it didn't pay nearly $2.85 million in ransom, he would quote, leak, unquote, the stolen information.

quote, worldwide, unquote. So he was threatening the individual, he was threatening power school. And then before they end, after they agreed to pay him a ransom, he was going after the individual school districts, threatening to expose all the children's and staff and teachers information that's highly sensitive and will affect them the rest of their lives.

Host (17:19.488)
while the entire time while they're in their formative years, all of that worldwide. So he was playing really hard with them. So why did Power School not like stop the attack? Why did this large company not be able to find this before a hundred some days? I mean, it's a multi-billion dollar company. It's owned by Bain Capital for Christ's sake. They're supporting 20,000

big customers across the globe, but the reality is much different. And they got slapped in the face by this kid right out of high school. Power School had 106 days from when the hacker first accessed one school district's data in August and September of 2024 to when he stole thousands of districts data in late September. But they didn't detect it, and therefore they didn't stop the incident.

And that's important because the states in the school districts have to entrust these vendors like Power School with all their data. And it lives on the vendor's platform. There is literally nothing the districts could have done to prevent the data breach. That's our take on it. Power School confirmed and this is the... I mean, this is where it's like a palm slap in the head.

of levels of ridiculousness. So not only did they not invest to have real-time detection, have multi-factor authentication, which could have arguably stopped this, but Power School confirmed that it paid a ransom, which the FBI always recommends not to do because you are funding cybercrime, but they paid a ransom and they never disclosed the amount. So they never told people, first of all,

true timeline until it came out after 2025 from the CrowdStrike investigative report after the breach went public. But then they didn't disclose all the different details and how sensitive the data was. In addition to that, asked when they paid the ransom, and this is the mind blowing thing, forehead slapping moment is

Host (19:44.118)
Power School is on record saying, well, there is no evidence whatsoever that any of the data is being leaked online. Why do they do that? And why do they believe that? Well, first of all, their sole reason is that the attacker, either Matthew Lane or his currently unidentified co-conspirator over in California,

They did a FaceTime video showing them deleting the data. Okay. Really? Like, okay. And they bought that and that's their reasoning. Like we saw them delete it. They were pressing keys on a keyboard. We saw them delete it. Unbelievable. Right. So with that, and here's the best part is after that occurred, then

right? And they were convinced that we've paid them this major ransom. We've seen the video. We are convinced that they're not going to do it except they did. Right? So after this, what happened was they went and they, Matthew Lane and or his counterpart went and started to extort individual school districts. So they're getting what they can get out of a power school and they convinced power school, Hey, here's a video. Like you're all good.

But then after that, they went after individual school districts and that's all laid out in several of the over a hundred lawsuits that are pending that we took a look of. Like it was ridiculous. So let's back up here just a bit. That was a lot of information to share. So I want to back up and I want to recap some things to kind of give you some context. Makes sense? Let's dive into that. in December 28, 2024, Power School receives

Matthew Lane's ransom demand. It's his ultimatum. Pay me 30 Bitcoin around $2.85 million or this data goes public. That is the literal quote. Pay me 30 Bitcoin around $2.85 million or the data goes public. That is extortion right there. Power School reportedly paid the ransom.

Host (22:08.736)
They watched the data be deleted, air quotes around the word watched the data being deleted over a video. Anyway, I can hear the gasps of ridiculousness and the forehead slapping. mean, did we just say that aloud? So according to court documents from the U.S. Department of Justice, the DOJ made public on May 20th, just a couple of weeks ago, 2025.

Power School received the extortion demand of approximately $2.00 in Bitcoin. The ransom was paid. We don't... Power School has not disclosed the exact amount of the ransom. The ransom was paid in exchange for a video that allegedly showed the attackers claiming to delete the only copy of the data. Okay, here's a new slash. That's not true. That's not the way it works. Never, ever do that. Ever. Under any circumstances. Right? Showing a video

If somebody deleting something is meaningless, they didn't really delete it. Okay? I don't can't believe I had to say that. But then what's interesting is as late as May 7th, after all that, they were sending extortion emails to schools in Canada and North Carolina that included samples of the stolen data because they send that with the demand. It's a proof of life, right? They are sending proof. We have your data. Here's a screenshot of

several pieces so that they know it's their data. It's stolen and it's in the hackers hands. So the data apparently, and that's really not the end because even days after that school employees keep getting new extortion threats. So the data is still out there. So none of this has even resolved it. So what's the impact of the attack? Let's think about this. Power School data breach had a broad impact.

on students, educators, and the educational institutions throughout the K-12 space throughout North America. First, there's privacy concerns. The data leakage of private information, personal identifying information, information that can be tied directly to a child, right, that is sensitive and should be sealed, right? That puts individuals at risk of identity theft and fraud. And why is that so bad?

Host (24:34.649)
We've talked about it numerous times on this on the show and it's this kids identities can be used by threat actors for decades before the kids are even aware of it. Why? Because most parents don't freeze their kids credit and they never monitor their kids credit. Why? Because they're not taking loans out. Little Johnny is four years old. Right. Little Johnny's identity can and often is

used repeatedly. And what happens is when they become of age and they're trying to get loans and their FICO score matters etc. We've met the families, we've had them on this show, right? Like where they're like they have a foreclosed condo in Nevada, they have a hundred thousand dollars in medical bills, they have a car that's been repoed. All this from a child's identity because from there they will take that, they will create new

identities, will take loans out in that name, they will get names legally changed, all tied back to that individual child social security number, and the kid and the parents have no freaking clue. And this is what happens regularly. We talk about it on this show. So what is the cure for that? Guess what? It's free. Just freeze your kids credit. Do it. It's free.

We even show you how to do it and we give you the steps right on our website, cybercrimejokies.com. So what are the other impacts from this breach? The long-term risk. The compromise of personal data can have long lasting effects as data such as social security numbers, birth date information can be misused for years into the future, especially among minors. There's also the financial impact. Education districts and schools

will need to spend money now to improve cybersecurity and provide higher degrees of privacy assurance because this exposes all of their weaknesses. And then there's legal challenges, which are not cheap. There are lawsuits pending, over a hundred of them, against the power school and various school districts need to be paying for that. And even if they win, there are still going to be a lot of costs.

Host (26:55.791)
lot of time and resources involved in depositions, court filings, motion practice, you name it. And then there's operational disruptions. While Power School claims no operational disruptions, affected school districts will need to implement new security measures and update data management practices and privacy controls. All that now has to happen. So let's talk about the legal reckoning for a second.

On May 20th, 2025, the US attorneys charged Matthew Lane with the following cyber extortion conspiracy, unauthorized access to protected computers, and aggravated identity theft. Well, just last week, he was in court with his family flanked by his side and Matthew Lane pleaded guilty to all of it.

He told the judge the following, true, he told the judge, all of it. He literally said, everything you just said, you just read in that indictment is true. Every bit of it. Prosecutors say Lane could face up to 17 years in prison and they're demanding a minimum sentence of 94 months. That is nearly eight years. So what Matthew Lane is facing

is going to be life changing for him. He's agreed to forfeit over $160,000 in cash and any crypto assets tied to the crime whatsoever. His sentencing is scheduled for ironically 9-11. So September 11th of this year 2025 and we will update you after that. He is set to be sentenced.

He's currently living under house arrest with his parents and is banned from using any internet connected devices. And naturally, he's no longer in college. So why does all this matter and why do we care? Well, the breach wasn't just massive. It was kind of personal, right? Parents believe their children's info is safe. Teachers trust their districts. Schools trusted

Host (29:17.637)
Power School. But Power School didn't detect lanes access for over 100 days. 100 days. While this kid barely out of high school himself was inside their systems exfiltrating again fancy word for steal all of that private sensitive information. And let's not forget the ambulance chasers. Let's cue the lawsuits. Over 100 school districts are now suing Power School. So there's going to be a lot

of exchange of all this information and digging into the details and depositions. North Carolina's attorney general called it a serious compromise. Several lawsuits have been filed against Power School following the breach. One of them is a class action suit filed by the law firm Hagens Berman on behalf of the affected students and families. And another lawsuit involves the Memphis Shelby County Schools.

These lawsuits are seeking both monetary damages and injunctive relief, including reimbursement for expenses and costs associated with the breach. Here's a more detailed breakdown. So the Memphis Shelby County Schools lawsuit, it's the largest school district in Tennessee. They filed a lawsuit against Power School in the US District Court of Southern California, accusing them of negligence, breach of contract, false advertising.

related to the breach. They're asking for money and reimbursement of costs. The class action suit filed by the law firm Hagen's Berman, that was filed where they're representing the estimated 60 million students and families affected by the breach. That lawsuit alleges that Power School failed to adequately protect the sensitive data of students and families. There's another class action lawsuit by Chandral Okani.

They filed a class action lawsuit in the U.S. district of the Eastern District of California, claiming her children were impacted by the breach. The lawsuit alleges that Power School was negligent and failed to provide timely notice or transparent notice to affected users. Again, there's that long gap where there wasn't any detection. And then when they came out, they were very vague.

Host (31:40.229)
about what was actually released in a timely manner. It wasn't until months later when the CrowdStrike report came out at the end of January, early February of 2025, that things started to leak out to the public. There's also a whole host of other lawsuits and investigations. We mentioned there's close to 100 lawsuits that we've reviewed that we know of. There's a potential multi-district litigation called an MDL.

to consolidate the various cases. And there's also Canada, because a bunch of these school districts that were breached were in Canada. So Canada's privacy commissioner also announced a new fresh investigation into the breach. And the bigger picture is the education sector. It's bleeding from every side. Over 82 % of K-12 schools in the US reported a cyber attack in the past year. 82%.

The average time to detect a breach in the education technology space, over six months. And it's only getting worse. We're talking supply chain attacks like this one with PowerSchool. You hit one vendor, you're able to affect a thousand schools instantly. This is a really frustrating breach. So let's take a look real quick at what our hot take is on this and what the highlights of this are.

I mean, the final twist in our hot take recap, if you will, is how in the freaking world can this happen? It's embarrassing and power school should be embarrassed. They didn't seem to do things correctly until after they got breached. And then they've really had a struggle being transparent with the families, the teachers, the districts and the children. mean, look, anybody can be breached. We understand that. And we generally don't.

dog on victims of breaches. But the victims here weren't Power School necessarily. The actual victims are the children and the actual school districts who all relied on them. They relied on Power School in their supply chain. And Power School didn't even have the multi-factor authentication, Very basic, standard, right? And they didn't have threat detection.

Host (34:03.107)
Not every school district has threat detection, although they should, but because of costs, sometimes they don't have active eyes on glass, like what a security operations center does. But power schools should have. How could they not be held to that standard? They're holding and having access to 60 million students' private data. How do they not be required to have threat detection, 21st glass, to know about it within minutes?

Not 106 days later. It's mind-blowing. I mean, it just blows your mind. Power School had told schools in January that it paid a ransom to a hacker and that they watched the data be deleted via video. I mean, if that's not an aggravating circumstance because of the stupidity there or the mind-blowing ignorance, I don't know what else. They've expressed confidence that the data would not be

leaked, but and all this has been reported in local media. WRAL there has reported on it several times, but days after WRAL reported on it in the news, several North Carolina school district employees began receiving additional new threatening messages from Matthew Lane and his co-conspirator claiming to have had the data and asking for Bitcoin to keep the data secure. So it keeps getting worse.

Right? Now they're going after the individual schools after that. And I mean, just think about detection. Why wasn't it in place here? Nor multi-factor authentication. None of these are rocket science, new trending, emerging technologies. These have been around for decades. This is standard, reasonable care. And it wasn't done here. So we would argue that this is going to be really tough.

for Power School to battle against in court. And it's gonna be interesting to see where the juries and where the judges land on this. The bottom line is Power School had over a hundred days to detect and had millions of dollars of revenue to exercise reasonable care. They literally held the private data of tens of millions of our most innocent civilians, our children, and they relied on a 19 year old criminal

Host (36:27.813)
who showed them a a video claiming to delete the data. It's like amateur night at the cybersecurity bar. It's unbelievable. And then they've really battled with transparency. And this is the thing that's really getting a lot of people upset in the security community. Because despite acknowledging the investigation's findings, Power School has neither disclosed the number of the total number of students and faculty members affected by the incident. They still haven't done it even yet today.

They've also not confirmed its awareness of the two prior breaches. They hadn't done that until the CrowdStrike report came out in early March of 2025, saying that there had been the exact same access with exact same credentials back in September, right? Like two times prior to the time when they exfiltrated all the data. So they had been in for a long time.

At this time, PowerStool still has not officially shared the total number of impacted schools, students or teachers raising concerns about transparency. Now sources have told various media outlets, including Bleeping Computer, and we'll have links to all this in the show notes, that the breach impacted 6,505 school districts in the US, Canada and other countries with 62 million students.

The exact number, according to Blooping Computer, is 62,488,628 students and 9,506,624 teachers, all having had their data stolen. At end of the day, Matthew Lane didn't break into one school. He breached the backbone of the entire education system. One kid, one stolen password, 60 million victims.

Let that sink in. I'm David Barrow and this is the reality of how organizations value our data and our children's data. And Matthew Lane, this is the face of cybercrime today. This is Cybercrime Junkies and we hope you enjoyed the story.

People on this episode

David Mauro

Host

Cyber Crime Junkies