The U.S. Attorney’s Office for the District of Massachusetts has charged a student at Assumption University with hacking into two U.S.-based companies’ systems and demanding a ransom.

Matthew D. Lane, 19, has agreed to plead guilty to one count of cyber extortion conspiracy, one count of cyber extortion, one count of unauthorized access to protected computers, and one count of aggravated identity theft.

The U.S. Attorney’s Office’s press release states that Lane agreed with co-conspirators between April and May 2024 to extort a $200,000 ransom payment from a telecommunications company by threatening to publish private data. When the telecommunications company questioned the payment, Lane used stolen login credentials to access the computer network of a software and cloud storage company that served school systems. The company received threats that the “PII of more than 60 million students and 10 million teachers – including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords, among other data – would be ‘leak[ed] . . . worldwide’ if the company did not pay a ransom of approximately $2.85 million in Bitcoin.”

A plea hearing has not been scheduled. If convicted, “the charges of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers each provide for a sentence of up to five years in prison, three years of supervised release and a fine of up to $250,000, or twice the gross gain or loss, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison, consecutive to any sentence imposed on the computer fraud charges.”