A U.S. judge has handed down a four-year prison sentence to Matthew Lane, the hacker behind the December 2024 breach of PowerSchool, which exposed sensitive personal data of millions of students and educators across Canada and the United States.
Judge Margaret Guzman of the U.S. District Court in Massachusetts also ordered Lane to pay more than US$14 million in restitution and a US$25,000 fine, according to the U.S. Attorney’s Office. The decision follows Lane’s guilty plea in June to charges of cyber extortion, aggravated identity theft and unauthorized access to protected computers.
According to prosecutors, Lane gained entry into PowerSchool’s systems using stolen credentials from a prior telecommunications breach and intended to extort the company, threatening to release student and teacher records if a ransom was not paid.
The breach compromised data of more than 2.7 million Canadian students — current and former — along with millions more in the U.S. Depending on local records held by school boards, the stolen information included names, birth dates, home addresses, emergency contacts and, in some cases, Social Insurance Numbers.
Multiple Canadian provinces were affected, including Ontario, Alberta, Manitoba and Nova Scotia, as many school systems use PowerSchool to manage student, medical and educational data.
PowerSchool said it resolved the vulnerability discovered on October 2, 2024, and engaged external security experts to strengthen its defenses. The company stated that the stolen data was not sufficient to enable unauthorized purchases or account takeovers.
In a statement, PowerSchool expressed gratitude for law enforcement’s efforts in prosecuting the case. Lane’s legal representative declined to comment when contacted.
Canadian privacy authorities have also played a role: the Office of the Privacy Commissioner of Canada said it would discontinue its investigation into PowerSchool after the company committed to enhanced cybersecurity, improved detection tools and third-party assessments. However, provincial privacy regulators such as Ontario’s IPC continue to investigate school board practices and compliance under provincial privacy law.
For insurers, the PowerSchool breach is a sharp reminder that even non-financial sectors — such as education and public administration — can generate catastrophic exposure, underscoring the need for cyber liability coverage to keep pace.
Insurers underwriting school boards or service providers tied to educational technology may now revisit their cyber risk models, adjusting for higher breach likelihood, increased reputational impact and layered liability scenarios.
The case also highlights the challenge of data retention policies and scope creep: school systems often store decades of sensitive data that can become a vulnerability. Insurers may increasingly demand stronger data minimization, encryption, privileged access controls and incident response readiness from clients in this domain.
The prosecution of a high-profile hacker reinforces the importance of deterrence and accountability in cyber risk ecosystems, potentially influencing premiums, terms and claims behaviour in Canada’s public-sector and education verticals.
Lane, who was a student at Assumption University in Worcester, Massachusetts, when first charged, had also targeted another company before the PowerSchool breach. Prosecutors said that in mid-2024 he exploited an earlier data breach at a telecommunications firm and, posing as a member of a well-known hacking group, demanded a US$200,000 ransom to prevent data leaks. Using the same stolen credentials, he infiltrated PowerSchool’s systems and later demanded a US$2.85 million bitcoin ransom to avoid public disclosure of student and teacher data.
PowerSchool ultimately paid the ransom to have the information deleted, according to U.S. court filings. Several Canadian school boards later received their own ransom demands using data accessed in the same breach.
