A 19-year-old from Massachusetts has pled guilty to being behind last year’s PowerSchool data breach, which affected 18,476 Massachusetts residents, with some students, families, and staff having their social security numbers and medical records exposed.
The hacker, a student at Assumption University in Worcester, used stolen credentials to gain access to a PowerSchool, a service provider that works with school systems across the nation. Court documents say that the threat actor had threatened to expose the stolen private information of tens of millions of students and teachers unless a ransom of $2.85 million Bitcoin was paid.
Powerschool admitted last month that it had made a ransom payment, while not disclosing the amount. There have been multiple class-action suits brought against the vendor.
U.S. Attorney Leah B. Foley decried the case as “a serious attack on our economy and on all of us,” adding that the hacker “stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents.”
According to Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division, the hacker “thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars. He also allegedly conspired to extort more money from a telecommunications provider over its confidential data.”
The hacker faces multiple counts, including cyber extortion, unauthorized access to protected computers, and aggravated identity theft—charges carrying up to five years in prison per count, plus mandatory consecutive prison time for identity theft.