BOSTON — A student at Assumption University in Worcester has agreed to plead guilty to hacking into the computer networks of two U.S.-based companies and extorting the companies for ransoms, the U.S. Attorney said Tuesday.
Matthew D. Lane, 19, of Sterling, has agreed to plead guilty to one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft, U.S. Attorney Leah Foley said.
Criminal charges were filed against Lane on Tuesday, federal court documents show.
Lane is accused of hacking into the computer networks of a U.S.-based telecommunications company and a software and cloud storage company that served school systems in the U.S. and Canada.
He’s accused of leasing a computer server in Ukraine and stealing “millions of records containing confidential and personally identifiable information,” prosecutors said.
A plea hearing has not yet been scheduled by the court.
“Cyber extortion is a serious attack on our economy and on all of us,” Foley said Tuesday.
Lane “stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals – all to put a notch in his hacking belt,“ Foley said.
The alleged ransoms that Lane, and others like him demand, “hurt victim companies and their innocent customers whose data the companies are entrusted to hold,” Foley said.
According to court filings, between April 2024 and May 2024, Lane agreed with others to extort a $200,000 ransom payment from a telecommunications company by threatening to publicly disseminate customer data that had previously been stolen from the company’s computer network.
When the victim company questioned whether a ransom payment would in fact end the threat of its customer data being leaked, Lane allegedly responded, “We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked.”
Prosecutors allege that Lane used stolen login credentials to access the computer network of a second victim company – a software and cloud storage company that served school systems in the United States, Canada and elsewhere.
Lane allegedly caused personally identifying information of students and teachers stored on that company’s networks to be transferred to a computer server that Lane leased in Ukraine.
Later, prosecutors said the second victim company and others received threats that the personally identifying information of more than 60 million students and 10 million teachers – including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords, among other data – would be “leak[ed] . . . worldwide” if the company did not pay a ransom of approximately $2.85 million in Bitcoin.
“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars,” Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division, said in a statement.
“He also allegedly conspired to extort more money from a telecommunications provider over its confidential data,” Milka said. “This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law.”
Anyone with questions or concerns as to whether a particular student and/or teacher’s information was compromised should contact their local school district, officials said.
For each charge of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers, Lane faces a sentence of up to five years in prison, three years of supervised release and a fine of up to $250,000, or twice the gross gain or loss, whichever is greater.
For the charge of aggravated identity theft, Lane faces a mandatory sentence of two years in prison, consecutive to any sentence imposed on the computer fraud charges.
This is a developing story. Check back for updates as more information becomes available.
Download the FREE Boston 25 News app for breaking news alerts.
Follow Boston 25 News on Facebook and Twitter. | Watch Boston 25 News NOW
©2025 Cox Media Group
/cloudfront-us-east-1.images.arcpublishing.com/cmg/7QOJU3BNCJERBNKJC5LWTBYFLU.png)
