19-Year-Old Accused of Largest Child Data Breach in US Agrees To Plead Guilty To Federal Charges

A Massachusetts man has agreed to plead guilty to hacking into one of the top education tech companies in the United States and stealing tens of millions of schoolchildren's personal information for profit. From a report: Matthew Lane, 19, of Worcester County, Massachusetts, signed a plea agreement related to charges connected to a major hack on an educational technology company last year, as well as another company, according to court documents published Tuesday.

While the documents refer to the education company only as "Victim-2" and the U.S. attorney's office declined to name the victim, a person familiar with the matter told NBC News that it is PowerSchool. The hack of PowerSchool last year is believed to be the largest breach of American children's sensitive data to date.

According to his plea agreement, Lane admitted obtaining information from a protected computer and aggravated identity theft and agreed not to challenge a prison sentence shorter than nine years and four months. He got access simply by trying an employee's stolen username and password combination, the complaint says, echoing a private third-party assessment of the incident previously reported by NBC News.

Obligatory.

[Anonymous Coward]

For the geniuses that decided to collect all of this information and make it accessible, I cut the big, juicy, stinky one in their faces.

Re:

[viperidaenz]

How do you propose a school functions without knowing the identity of their students?

At a minimum, they require identifying information for every child and their legal guardians. Names, addresses, dates of birth.

Re:

[Anonymous Coward]

Nobody says these schools have to upload their students data into a third-party data service. Most school districts would be better served to keep the data local and encrypted.

The article says the hackers stole data on 62 million kids, then tried to extort money from PowerSchool along with schools in Canada and North Carolina. School districts that outsource their students data without vetting the security of the company should take a second look at their contracts.

Re:Obligatory.

[Bold_Cucumber]

This. I work at a college and I see this every day. Every big edutech vendor are forcing their clients into SASS models. Ellucian is doing it for their Banner product, so soon their schools will have no choice but to put their entire ERP system in the cloud. It's a security and privacy nightmare. FERPA allows it as long as the outsourcee is doing the "same work" that an employee of the school would be doing. Increasingly these companies are being bought up by private equity groups who don't care about the company's revenues or their clients, they want that data. They figure out all kinds of freaky ways to monetize it. Maybe they don't disclose the student's actual grades, but they can derive a "hireability" score that is a direct reflection of the their grades. They can sell that data to anyone who will buy it, insurance companies, credit card companies, law enforcement, whoever. Who knows how good their security is, what other countries they outsource services to, who they allow access to it. And now they're training AI with it.

10+ years ago these colleges would have balked at handing over all their private FERPA-protected data to a third party, but now they all just think the cloud is the future. If you aren't in the cloud then you aren't "modern." Nevermind that virtually every big data breach you hear about these days could have been prevented if the data were kept private and housed on servers solely controlled by the owners of the data themselves, where you don't have to worry about open S3 buckets or leaked API keys. All these kids wanted was to get an education and before they know it their future is completely fucked because their schools refused to fight for their privacy.

Re:

[angel'o'sphere]

And what exactly has that to do with "cloud".

Re:

[sentiblue]

I don't think school districts have the technical abilities/stability to hold data for an extended amount of time. They simply don't have the capability to guarantee the data will stay long and in tact. In case of a system crash or data loss, they don't have proper equipments and resources to recover. Cloud storage 3rd-party vendor may sound foolish, but it's still safer. Imagine hacking into an elementary school vs a 3rd-party provider. The elementary school has to be easier.

Re:

[Stephenmg]

Most schools don't have the money to code something like this. The schools that do, should be spending that money on something else instead of reinventing the wheel. The regulations on what data schools have to collect and submit to state and federal governments make creating something like this impossible. I also don't see how you expect a school to vet the security. It also doesn't help that funding is being cut to CISA. Many school districts host powerschool locally but the hacker used a support tool t

Re:

[Slyfox696]

Nobody says these schools have to upload their students data into a third-party data service. Most school districts would be better served to keep the data local and encrypted.

The article says the hackers stole data on 62 million kids, then tried to extort money from PowerSchool along with schools in Canada and North Carolina. School districts that outsource their students data without vetting the security of the company should take a second look at their contracts.

At first, I thought to laugh at your post, but after considering it, it is probably that you just do not understand the situation well enough. So I would like to (hopefully) provide context/information to help you understand why your post isn't really possible.

Let's take this a step at a time. These schools are not uploading to a third-party data service, the schools are using a Student Information System (SIS) (in this case PowerSchool) to manage all the functions of the district. PowerSchool provides grad

Nine fucking years in prison?

[rsilvergun]

It's going to cost us a little over a million dollars to throw this 19-year-old in prison. It would be child's Play to prevent him from committing any further crimes just by putting him under probation.

And let's not forget we organize and structure our prisons so that the prisoners can inflict various forms of torture on each other that we're to squeamish to do ourselves.

It's a complete waste of money covered in a thick mess of cruelty for its own sake. But you can bet your ass anyone who suggests any alternative is basically dead to half the country. Got to be tough on crime right?

Re:Nine fucking years in prison?

[sg_oneill]

Prisons a weird institution and it can kinda go either way how it affects people.

Back in the early 90s two local kids who I knew (lived on the same street) committed a terrible assault on some other kid, causing serious brain damage. One stayed with the kid trying to give him cpr until the cops/ambulance arived, the other fled. Both where charged and did about a year of prison each (The one who stayed with the victim got a couple months off for demonstrated remorse).

When they got out. One was completely shook by the experience of prison and vowed never to go again, and went and finished highschool, and last I heard he was working as an auto mechanic. The other was radicalized into crime and ended up a serious criminal enforcer type. I heard he died, but I cant confirm that. The victim, recovered, but very slowly, and apparently still has epilepsy to this day as a result.

It seems that the people prison "helps" probably didnt need that help. The shame of the crime is often more than effective for ensuring it never happens again. For those without shame, it just makes them worse. Unless the prison really focuses on rehabilitation over punishment, norway style.

This is all because of Republican

[Anonymous Coward]

Hierarchy where they need kings and bandits to jail. Polls indicate the overwhelming number of anti-vaxxers are Republican or right leaning and they sure love to send people to jail while jails and the police are completely useless. The right wing is never going to get along well with science because the core of the right wing is a belief that some people are better than others and that there is a hierarchy people get placed in based on innate characteristics.

But fundamentally if you strip away everything f

Re:

[ndsurvivor]

Quote: "It took 10 years but Americans are absolutely terrified of trans people. 10 years of non-stop propaganda did that. A few research poll showed Americans think 20% of the country is trans. That's 40 times the actual number. And realistically again they're only thinking of trans women so it's more like 80 times the actual number." Fox "news" and trump himself keeps repeating lies. That and about Immigrants being criminals. It is pure hysteria, in my humble opinion. I keep wondering if they sto

Re:This line break

[databasecowgirl]

Instead of Enter, use the html for two br's in order to create spaces between paragraphs.

As for the trans hysteria, it's just a politically correct way to gay bash and slag women with the purpose of rolling back gay and women's rights. And it's working.

You're responding to a bot

[rsilvergun]

There's a weird bot going around slashdot but takes my comments and repost them sometimes with bizarre edits of things I never said.

This is a example of that bot. I haven't quite figured out why they're doing it.

I think what's going on is it's one of the right wing automatic bots and it's programmed to go after my left wing comments. The idea is that the comments it makes are going to get modded down and the goal is to draw a automatic moderation system to go after my comments.

Slashdot is of cou

Who the hell said anything about

[rsilvergun]

How it affects people?

My complaint is is we are going to spend a million dollars locking up this kid and we could easily stop him from committing any other crimes that he is at all likely to commit. That's a million dollars of my money, my taxpayer dollars so that somebody can get a boner watching tough on crime bullshit.

Meanwhile we are going to put them through the ringer inflicting literal torture but we don't even have the fucking balls to do it ourselves so we set it up so that violent and craz

Re:

[ndsurvivor]

I get that. Probation would probably be good enough for this kid. That could probably be generalized for all non-violent people who are in jail right now.

Re:

[smooth wombat]

we could easily stop him from committing any other crimes that he is at all likely to commit.

If we get rid of him we're assured he'll never commit a crime again.

Re:

[angel'o'sphere]

It is not your money.
It is the state's money.
That is how taxes work.

Re: Nine fucking years in prison?

[CustomBuild]

"Got to be tough on crime right?" Right.

Re:

[MasterRa]

Would you say the same about yourself? About all the crimes you've committed? Should you be in prison?

Re: Nine fucking years in prison?

[CustomBuild]

Yes. I don't commit crimes.

Re:

[mjwx]

"Got to be tough on crime right?" Right.

Except when the criminal is rich... or a Republican.

Re:

[ndsurvivor]

On one hand America keeps more people in prison than any other country in the world, it seems. That does not seem to be consistent with a Free Country. On the other hand, this person should have had some education in Ethics, and he obviously did not, so off to Jail for him, and good riddance.

Re:

[sound+vision]

If an executive at the company had done the same thing as Matthew Lane, would you argue that the executive only deserves probation?

Re: Nine fucking years in prison?

[viperidaenz]

If an executive used stolen credentials to access data and leak it, I would argue a larger punishment is warranted. They would have no excuse for not knowing the damage they are causing and the risks to the victims involved.

Re:

[sound+vision]

Matthew Lane realized there were victims, realized he was causing damage, and attempted to profit off it. Failing to see a distinction here.

Re:

[viperidaenz]

Isn't that for a court to decide?
He's 19, his prefrontal cortex is still underdeveloped.
He's not even old enough to legally purchase alcohol

Re:

[sound+vision]

And yet, most people with an underdeveloped prefrontal cortex who can't purchase alcohol, aren't going around selling SSNs by the millions.

Although I'm sure his lawyers will argue he's not guilty by cortical insanity, or because he wasn't able to purchase alcohol, he is a big boy. He can handle big boy responsibilities, like not aiding in ID theft. My cortex didn't have any trouble with that when it was 19, or 17, or 15.

I was drinking alcohol by that age, though. That must be why I never sold any stolen dat

Re:

[PPH]

It's going to cost us a little over a million dollars to throw this 19-year-old in prison.

Justice isn't about achieving some ROI.

And let's not forget we organize and structure our prisons so that the prisoners can inflict various forms of torture on each other that we're to squeamish to do ourselves.

Unless the prison's management is insane, this guy is going to spend the next 9 plus years in solitary. Put him anywhere near gen pop and he'll end up dead. Prisoners have a pretty strict code of ethics when it comes to their crimes and victims. Children are a definite no-go.

Re:

[Entrope]

It would be child's Play to prevent him from committing any further crimes just by putting him under probation.

Wrong. Putting him under probation just gives him a motivation to not get caught next time. There's no deterrent effect for others, and little for him.

And how much does it cost to put somebody under 24-by-7 surveillance during probation?

Re:

[Powercntrl]

It's going to cost us a little over a million dollars to throw this 19-year-old in prison.

Did you even read the article? This 19-year-old is a cyber ransom scammer. You know, those scum of the Earth types who are largely responsible for cryptocurrency having a value floor.

Yes, in an ideal world we'd have all our IT infrastructure secured properly and this idiot would've had to stick to things like calling the elderly and scamming them into paying an imaginary IRS debt via Walmart gift cards. He thought he could turn someone else's lax security into a quick buck, but law enforcement actually d

Gotta love America

[LostMyBeaver]

Putting a child in prison for 9 years.

9 years of civil service or 4 years of military service... Both options that could turn this child into an asset, but the judge chose instead to destroy this kid's life and future and make him a burden on tax payers.

The kid screwed up, but it is absolutely clear he can be constructively channeled into something useful.

America... The land of the cowards and incarcerated

Re:

[ndsurvivor]

My first thought to what you said, is would you say the same thing if the child was black or an immigrant? I say that because blacks are historically the most jailed people in the USA, and about immigrants because of the collective MAGA hate against them in the moment.

Re:

[Entrope]

Here in the US, like in the vast majority of the world, the legal age of majority is 18. He's an adult, not a child.

The US doesn't have a legal mechanism for forcing convicted into the military. We haven't used conscription in decades. Don't you think it would be even more immoral to compel someone to risk their life in combat than to send them to a correctional facility?

Is your judgment about what is "absolutely clear" based on actual facts specific to this guy, or just your feelings?

Re:

[techno-vampire]

There was a time when many first offenders were given the choice of joining the Marines or going to prison, and if they chose the Marines, they were taken to the nearest recruiting station and signed up right then. And, there was a time that the Marines got some good men out of the deal, but that time is long gone. The Corps stopped accepting that kind of recruit decades ago because none of the men who signed up that way were worth having, and just kept on making trouble.

Re:

[TurboStar]

The US doesn't have a legal mechanism for forcing convicted into the military.

No, but the USA has the 13th amendment which allows for using prisoners as slaves.

Re:

[ndsurvivor]

I was repulsed by what you said, that under conditions, people in the USA can be slaves. I looked it up, and under certain conditions, in the USA, a person can be accused of something, and then be a slave.

Re:

[databasecowgirl]

Or maybe look up 'Angola'.

Re:

[Anonymous Coward]

The 13th Amendment allows involuntary servitude as part of a prison sentence. That's what the OP was suggesting by compelling this guy to join the military as an alternative to prison.

If you think any court has read the 13th Amendment to authorize "using prisoners as slaves" then you should probably point to some specific precedent about it. I know a lot of edgelords like to throw around the word "slavery" in this context, but that's whitewashing the brutal facts of what actual slavery is like.

Re:Gotta love America

[ndsurvivor]

The Current Trump Administration has "screwed" the USA Constitution in at least three different ways now. The Emoluments clause, the right to Birthright Citizenship, and the right to habeas corpus. I am sure he "screwed" the US Constitution many other ways. MAGAs don't seem to care. I feel like I am in NAZI Germany in the 1940's.

Re:

[databasecowgirl]

Are you familiar with Angola prison in Louisiana? It's a cotton plantation where inmates are forced to work without pay for the first two years of their sentence. Afterwards, they get 2 an hour for the remainder of what will basically be a life sentence.

https://www.mennoniteusa.org/m... [mennoniteusa.org]

https://www.pbs.org/newshour/n... [pbs.org]

https://m.youtube.com/watch?v=... [youtube.com]

Re:

[chas.williams]

Child? No, he's an adult. Do adult crimes, win adult sentences.

Re:

[DarkOx]

Yeah about that, Look at Ukraine.

See how effective a military is when you stock it with convicts and other undesirable conscripts, the Russian army has proved to be oh so capable.

The US military is a highly professional fight force, not a babysitter for idiots that can't manage to be members of society. The same *should* be true for most types of civil service. You want to restore anyone's faith in government about the last thing you should do is put a bunch of people with criminal proclivities on the fro

Re:

[Zontar_Thing_From_Ve]

Putting a child in prison for 9 years.

9 years of civil service or 4 years of military service... Both options that could turn this child into an asset, but the judge chose instead to destroy this kid's life and future and make him a burden on tax payers.

You'll need to define "civil service". I have no idea what you think that terms covers and would be appropriate. And as far as the military goes... I refer you to a legendary hacker named Edward Snowden. Snowden went into the military after high school and while his Wikipedia page entry is now currently scrubbed of this, apparently it went off the rails really quickly and he was discharged very quickly. I'm having to work off memory here as, like I said, his Wikipedia page is now scrubbed of this an

Re:

[strikethree]

People need to be constantly filtered out of society or else there is no feeling of terror in the general populace.

This is how we manage our society. If you don't like it, change it. I am betting you can't/won't because too many people believe this is the way to manage a society.

Most parents try to beat their children into compliance. Those children grow up and do it to their children. Is it any surprise to you that society as a whole reflects this?

Re:

[LordAba]

People need to be constantly filtered out of society or else there is no feeling of terror in the general populace.

It is very easy to state the opposite too: if there is no "filtering" you create terror in the general populace. Your type of thinking is very much a luxury belief.

This kid is a prime DOGE candidate

[Rosco P. Coltrane]

DOGE only hires sketchy teenage cybercriminals [usatoday.com] like him to "handle" our sensitive government data. He would fit right in!

OK, punish him, but

[drinkypoo]

He got access simply by trying an employee's stolen username and password combination, the complaint says

Can we please, please, please also start holding accountable the people who make the decision to implement half-assed security?

Also, can we maybe not just lock people up for nine years at our expense when some other solution will do? This locking people up for profit shit has got to end.

What about the cretins that left this open?

[gweihir]

I.e. no 2FA, no limits to login-attempts, etc.
Do they also get a few years behind bars? No? Well, then this crap will continue.

Mis-used talents

[sentiblue]

Lots and lots of bright people who have unrivaled skills... but they choose to put those skills to harmful use. I just don't get it. To be such smart, they have to know doing those things will cost them their freedom. I guess they were born smart but never been taught manners. That's why they think it's okay to commit crimes.

Re:

[LordAba]

Lots and lots of bright people who have unrivaled skills... but they choose to put those skills to harmful use. I just don't get it. To be such smart, they have to know doing those things will cost them their freedom. I guess they were born smart but never been taught manners. That's why they think it's okay to commit crimes.

Yeah... if the kid was a white hat and caught trouble just pointing out the hack to the company it would be a totally different conversation. As soon as he tried to make profit from the data that puts him firmly in a position he should have known was wrong.