20-Year-Old Enters Prison for Historic Breach, Ransoming of Massive Student Database (abcnews.com) 50
20-year-old Matthew Lane sent a text message to ABC News as his parents drove him to federal prison in Connecticut. "I'm just scared," he said, calling the whole situation "extremely sad."
Barely a year earlier, while still a teenager, he helped launch what's been described as the biggest cyberattack in U.S. education history — a data breach that concerned authorities so much, it prompted briefings with senior government officials inside the White House Situation Room. The breach pierced the education technology company PowerSchool — used by 80% of school districts in North America... [and operating in about 90 countries around the world]. With threats to expose social security numbers, dates of birth, family information, grades, and even confidential medical information, the breach cornered PowerSchool into paying millions of dollars in ransom.
"I think I need to go to prison for what I did," Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal. "It was disgusting, it was greedy, it was rooted in my own insecurities, it was wrong in every aspect," he said in the interview, two days before reporting to prison... At about 6:30 on a Tuesday morning last April, FBI agents started banging on the door of Lane's second-floor dorm room. "FBI! We have a search warrant," Lane recalled them shouting. They seized his devices and many of the luxury items he bought with "dirty" money, as he put it. He said he felt a "wave of relief.... I'm honestly thankful for the FBI," he said. "After they left, I was like, 'It's over ... I'm done with this'..."
A federal judge in Massachusetts sentenced him to four years in federal prison and ordered him to pay more than $14 million in restitution.
"In the wake of the breach, PowerSchool offered two years' worth of credit-monitoring and identity protection services to concerned customer," the article points out. But it also notes two other arrests in September of teenaged cybercriminals:
- A 15-year-old boy in Illinois who allegedly attacked Las Vegas casinos, reportedly costing MGM Resorts alone more than $100 million
- A British national who when he was 16 helped breach over 110 companies around the world and extort $115 million.
But ironically, Lane tells ABC News it all started on Roblox, where he'd met cheaters, password-stealers, and cybercriminals sharing photos of their stacks of money, creating a "sense of camaraderie" Lane and others warn that online forums also attract criminal groups seeking to recruit potential hackers. "The bad guys are on all the platforms watching the kids playing," Hay said. "And when they see an elite-level performer, they go approach that kid, masquerading as another kid, and they go, 'Hey, you want to earn some [money]? ... Here are the tools, here are the techniques'...."
According to Lane, he spent his "ill-gotten gains" on designer clothes, diamond jewelry, DoorDash deliveries, Airbnb rentals for him and his friends, and drugs — "lots of drugs." He said he would numb ever-present feelings of guilt with drugs — from high-potency marijuana to acid. But it was hacking that gave him the strongest high. "It's indescribable the adrenaline you get when you do something like that," he said. "It's way more than driving 120 miles per hour. ... Incomparable to any drug at all, as well."
"On Monday, Roblox announced that, starting in June, it will offer age-checked accounts for younger users that limit what games they can play, and add 'more closely align content access, communication settings, and parental controls with a user's age.'"
"I think I need to go to prison for what I did," Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal. "It was disgusting, it was greedy, it was rooted in my own insecurities, it was wrong in every aspect," he said in the interview, two days before reporting to prison... At about 6:30 on a Tuesday morning last April, FBI agents started banging on the door of Lane's second-floor dorm room. "FBI! We have a search warrant," Lane recalled them shouting. They seized his devices and many of the luxury items he bought with "dirty" money, as he put it. He said he felt a "wave of relief.... I'm honestly thankful for the FBI," he said. "After they left, I was like, 'It's over ... I'm done with this'..."
A federal judge in Massachusetts sentenced him to four years in federal prison and ordered him to pay more than $14 million in restitution.
"In the wake of the breach, PowerSchool offered two years' worth of credit-monitoring and identity protection services to concerned customer," the article points out. But it also notes two other arrests in September of teenaged cybercriminals:
- A 15-year-old boy in Illinois who allegedly attacked Las Vegas casinos, reportedly costing MGM Resorts alone more than $100 million
- A British national who when he was 16 helped breach over 110 companies around the world and extort $115 million.
But ironically, Lane tells ABC News it all started on Roblox, where he'd met cheaters, password-stealers, and cybercriminals sharing photos of their stacks of money, creating a "sense of camaraderie" Lane and others warn that online forums also attract criminal groups seeking to recruit potential hackers. "The bad guys are on all the platforms watching the kids playing," Hay said. "And when they see an elite-level performer, they go approach that kid, masquerading as another kid, and they go, 'Hey, you want to earn some [money]? ... Here are the tools, here are the techniques'...."
According to Lane, he spent his "ill-gotten gains" on designer clothes, diamond jewelry, DoorDash deliveries, Airbnb rentals for him and his friends, and drugs — "lots of drugs." He said he would numb ever-present feelings of guilt with drugs — from high-potency marijuana to acid. But it was hacking that gave him the strongest high. "It's indescribable the adrenaline you get when you do something like that," he said. "It's way more than driving 120 miles per hour. ... Incomparable to any drug at all, as well."
"On Monday, Roblox announced that, starting in June, it will offer age-checked accounts for younger users that limit what games they can play, and add 'more closely align content access, communication settings, and parental controls with a user's age.'"
You commited a crime (Score:4, Informative)
Re: (Score:2, Troll)
Re: (Score:2)
Consequences schmonsequences, as long as I'm rich! [youtube.com]
Moral of the story: (Score:5, Insightful)
If a massive amount of critical information and system of your business can be held hostage by a child then you are not "taking security very seriously" and you do not "respect the rights of [your] users".
That fact that stuff like this happens is astoundingly stupid. This foolish child isn't innocent but the businesses are all guilty as a hell.
Re: Moral of the story: (Score:3)
Maybe not guilty as hell but definitely negligent.
Re: (Score:2)
Re: (Score:2)
It's not just a child. It's a child plus a network of organised crime that specialises in tooling for illicit compromise, which said child has access to, plus contacts with compromise experience to learn from. This changes things significantly.
Cybersecurity is a hellishly expensive thing if done to the degree that's found in financials and the like (where a bad compromise could have serious international ramifications).
Most places don't have the budget to hire enough of the right staff to protect against
Re: (Score:2)
I've heard similar arguments in jail. Psychopaths blame the victims for allowing themselves to be exploited.
Calling him a 'child' is a bit of a stretch, too, unless you mean 'an immature or irresponsible person' or 'a person who has little or no experience in a particular area' or 'a young human below the age of puberty'. It implies that he shouldn't be treated as an adult....and the court decided he should be.
Re: (Score:2)
I've heard similar arguments in jail. Psychopaths blame the victims for allowing themselves to be exploited.
You see this as victim and perpetrator. I see this as, lesser perpetrator and greater perpetrator. Both parties are to blame. The world is not black and white, it is a sea of gray.
Calling him a 'child' is a bit of a stretch, too, unless you mean 'an immature or irresponsible person' or 'a person who has little or no experience in a particular area' or 'a young human below the age of puberty'.
"Lane said he was a prolific cyber criminal by age 15, and usually directed his cyberattacks toward "big, big" targets."
It implies that he shouldn't be treated as an adult....and the court decided he should be.
No, that's what you have inferred. He's an adult now and will be treated as such.
He's not a child. (Score:2)
Security weakness is not consent to intrusion.
Re: (Score:2)
Give lip service to security and walk away from any breaches with the words, "nothing could be done". That is the business model for everything that people do not want to take seriously.
The results speak for themselves, but nobody is listening to the results, just to the lip service.
Re: (Score:2, Insightful)
How's Roblox role in this different from any other platform?
Would it be OK if the hackers had used IRC/Discord/Signal/Haven/etc?
Wherever you have large numbers of people communicating, you'll end up with situations like you described. And when someone tries to enforce limits, you have the 'free speech' crowd come out of the woodwork (I may not necessarily agree with them on everything, but they're not wrong).
Bottom line is that people are responsible for their own actions. Unless you want 'big brother' w
Re: (Score:2)
Corporations are people, very wealthy people. Wealthy people have a different justice system than you and me.
Re: (Score:1)
There are about 33 million businesses in the United States. I can't find numbers, but it seems reasonable that at least half of those are incorporated. Thus you are claiming that there are about 17 million "very wealthy people" in the U.S., or 5% of the population. A net worth of $1,000,000 is about the 95th percentile. That was wealthy 50 years ago, but now it's just comfortably well off. You can't buy a national politician and keep him bought for 1 million. Those corporation owners aren't all "very wealth
Misdirected skillset, contempt of cop^H^H^H (Score:2)
corporation.
1. Why do we not have a way to catch these bad actors early and redirect their talent to something more beneficial? Of course the human nature part of the pursuit of riches gets in the way here.
2. Let me start by saying that this guy deserves to go to prison for what he did. However, a lot of laws are bought and paid for by corporations bent on severely punishing people for things which put a dent in profitability. I would argue it is similar to "contempt of cop" but for the benefit of "virtual
Re: (Score:2)
1. Why do we not have a way to catch these bad actors early and redirect their talent to something more beneficial?
Because often these folks aren't actually talented and are just being opportunistic criminals. Lots of things aren't secured particularly well in real life too, but we don't offer well paying jobs to every kid who learns lock picking from YouTube, either.
Admittedly, because these companies being breached have their systems connected to the global internet, they should be taking security a bit more seriously since the culprit may not always be an American or from a country with an extradition treaty. But a
Re: (Score:2)
So maybe the conviction and sentencing, and punishment meted out should consist of 2 parts. One for the perpetrator, and the other for the corporation who let their guard down. The problem is, you can never be sure all of the vulnerabilities are mitigated on your attack surface. Also how do you convict a corporation without designating some corporate officer with is the equivalent of a whipping boy, and who gets to go to jail on behalf of the corporation.
Re: Nobody deserves to go to prison (Score:2)
Grow up.
Re: (Score:2)
I'm politically on the 'left' but I think you're dead wrong about this.
In a previous career I spent LOTS of time talking to criminals of all stripes, from shoplifters to serial killers. I went into that job thinking more or less the same as your above post; I came out of it many years later thinking the exact opposite. There's definitely inequality in terms of who gets sent to jail, but what I learned (n=1, this is just my opinion) is that we need prisons, and prisons don't have to be about education, refor
You're completely missing my point (Score:1)
I'm not talking about whether it's fair to be sent to prison or whether we send people to prison fairly. I am saying the fundamental concept of prison is unfair and barbaric and something that we need to grow out of.
You are still thinking of something like inherent evil. Like the idea that some people are just born evil. That's where the idea of punishment that is deserved comes from.
Without that idea you basically
Re: (Score:2)
I'm with you on this. Prison has no place in a mature society that actually cares about its members.
Re: (Score:1)
I've known people who behaved in an evil manner because they thought it was fun. None of those people misbehaved because they were mistreated, they misbehaved because they just weren't caught and punished. Lacking punishment, they continued misbehaving, even bragging about it and encouraging others to follow their lead.
Most human behavior depends on feedback.
Re: (Score:2)
Definitely - a lot of people doing 'bad' things are broken in some way, had difficult/abusive childhoods etc etc. Not minimizing that at all, and it's something we have to work on as a society.
But what we're each saying isn't mutually exclusive - a person's background is obviously relevant to why they ended up in court. But the point is - they still did something horrible. I saw on multiple occasions, people not going to jail for awful crimes because their lawyer told Court what a difficult upbringing they
I'm starting a movement to bring back DOOM (Score:2)
Before you go into any prison, you have to pick up the red, blue, and gold card(s). And a berserker pack.
Nothing elite about this kid. (Score:2)
He's just another script kiddie that was gassed up by the real threat actors, then handed tools. 9 out of 10 times one of these kids go down, they aren't the brains behind the incident.
They even admitted that somebody else provided the tools. Its just sad that they still belive that they were selected for their leet skillz.
Once again they buried the lead (Score:2)
That seems like a much bigger deal here.
You can send all the 20-year-olds you want to jail for as long as you want and it will never make that okay. But hey security theater is a thing and old people like seeing young people get harmed. I don't know why we just seem to like it a whole hell of a lot.
Re: (Score:1)
Re: (Score:2)
Why is his age news? (Score:3)
He's an adult criminal, not a child. He chose his fate.
Re: (Score:1)
If only we held the same strict standard to the people casually ransacking retail stores in urban areas.
yer gonna put you eye out kid (Score:2)
It's all fun and games until that happens
"Mathew Boderick" almost touched off a global thermonuclear war... And walked away.
"Mr Robot" was fighting the good fight... As if THAT really happens.
The fact is, investigating your own gear is a-ok. stuff that belongs to others... It get's dark gray really fast. Make bucks at it... It's not gray at all. Pitch black.
The real take away here ... (Score:1)
Information security is still being treated as a joke, an afterthought by corporations that process PII in bulk.
Yes, it is fine to "slap 'em in irons" for breaching these systems, but why aren't there serious penalties for the owners and operators of these systems who fail to protect them with better security than the equivalent of rent-a-cops?
Governments (Score:2)
The biggest actors in the hacking world are governments. Countries like: Russia, North Korea, Iran, but also the USA and Israel. Probably others as well.
So the fact that some kid was able to access so much info is quite worrisome. If he had worked for the NSA they would have paid him nicely to hack, but since he did it on his own (or unknowingly for another government) he's going to jail.
The biggest threat to cybersecurity these days are governments!
Details (Score:2)
While I'm clearly opposed to the U.S. prison system I would call a violation of basic human rights, the prison term is most likely based on his extortion attempt to ransom 2.4 Million USD
along with him being not an influential millionaire, and go to a minimum security prison similar to the one Jeffrey E. went for.
And from my POV this should be the only crime he should "rethink" what he would be in for.
https://www.justice.gov/usao-m... [justice.gov]
But I'm also in favor that the people responsible for the security holes t
Re: (Score:2)
the prison term is most likely based on his ... being not an influential millionaire
Not for a lack of trying!
Crimes this big, take two (Score:2)
- So much PII information in one database,
- Much of the sensitive data (Eg. medical) was not encrypted at rest,
- Was this database HIPPA compliant?
- An apparent failure to identify the breach and block the connection,
- an apparent failure to hold the corporation accountable for these failures.
Next time the criminal won't grab money, he'll save all that Id. information for 10 years, then commit wide-scale, unstoppable identity thef
Fuck around and find out (Score:2)
The real issue is terrible data security (Score:2)
It's not even enoug