A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.

Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.

U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.

Federal prosecutors were seeking a sentence of eight years for Lane, arguing that the crimes he pleaded guilty to follow a series of cybercriminal activity dating back to 2021. “The government has serious concerns that Lane poses an ongoing threat to the community and remains in denial about the scope of his criminal activity,” prosecutors said in a sentencing memo filed Oct. 7 in the U.S. District Court for the District of Massachusetts. 

Prosecutors cited multiple examples of other cybercriminals who committed and were convicted of less serious crimes. In those cases, the lighter sentences cybercriminals received did not sufficiently deter them from reengaging in cybercrime upon their release from jail. Lane’s attack on PowerSchool put 10 million teachers and 60 million children, some as young as five years old, at risk of identity theft for the remainder of their lives, prosecutors said. 

The PowerSchool attack, which Lane committed in September 2024 by using a PowerSchool contractor’s credentials to gain unauthorized access, is reportedly the single largest breach of American schoolchildren’s data on record. Lane threatened to release the data in December 2024 if PowerSchool didn’t pay a ransom valued at nearly $2.9 million at the time.

Multiple school district customers of PowerSchool received follow-on extortion demands linked to the stolen same data, the company said in May. The downstream extortion attempts underscore how cybercriminals, affiliated or not, will continue to exploit sensitive data for financial gain.

Lane forfeited almost $161,000 traced to his crimes, but about $3 million in illicit proceeds remains unaccounted for, according to court documents. “The money he returned is barely one percent of the financial loss he caused,” prosecutors said in the court filing.

Lane is required to surrender to the Federal Bureau of Prisons by Dec. 1.

The post PowerSchool hacker sentenced to 4 years in prison appeared first on CyberScoop.

Federal cyber authorities issued an emergency directive Wednesday requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.

The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.

F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.

CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.

Many federal agencies and private organizations could be impacted. CISA said there are thousands of F5 product types in use across executive branch agencies. 

These attacks on widely used vendors and their customers are part of a broader campaign targeting key elements of America’s technology supply chain, extending the potential downstream effect to federal agencies, critical infrastructure providers and government officials, Nick Andersen, executive assistant director for cybersecurity at CISA, said during a media briefing. 

CISA declined to name the country or specific threat groups behind the attack on F5’s systems. Generally, the broader goal of nation-state attackers is to maintain persistent access within the targeted victim’s network to hold those systems hostage, launch a future attack,  or gather sensitive information, Andersen said.

CISA’s order requires federal agencies to apply security patches F5 released in response to the attack, disconnect non-supported devices or services, and provide CISA a report including a detailed inventory of all instances of F5 products within scope of the directive.

Officials referred questions about the effectiveness of F5’s security patches back to the vendor and declined to independently verify if the software updates have fixed the vulnerabilities attackers gained information on during the breach. 

Neither CISA nor F5 have explained how the attackers gained access to F5’s internal systems. 

Officials repeatedly insisted that the government shutdown and multiple waves of reductions to CISA’s workforce did not negatively affect or delay the government’s ability to coordinate with partners, respond to this threat and issue the emergency directive. Andersen declined to say how many CISA employees have been dismissed with reduction-in-force orders since the federal government shut down two weeks ago. 

“This is really part of getting CISA back on mission,” Andersen said.

“While, yes, this may be the third emergency directive that’s been issued since the beginning of the Trump administration, this is the core operational mission for CISA,” Andersen said. “That’s really what we should be doing, and we’re able to continue to perform that mission in collaboration with our asset partners right now.”

The post CISA warns of imminent risk posed by thousands of F5 products in federal agencies appeared first on CyberScoop.

A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.

An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.

SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post. 

“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.

The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack. 

Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added. 

SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years. 

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.

While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.

The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.

“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said. 

“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”

SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.

The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.

The incident has resulted in a system failure that impacted orders and shipments in Japan, and call center operations.

The post Cyberattack on Beer Giant Asahi Disrupts Production  appeared first on SecurityWeek.

The government has announced a support package, but a cybersecurity expert has raised some concerns.

The post Cyberattack on JLR Prompts £1.5 Billion UK Government Intervention appeared first on SecurityWeek.

Collins Aerospace is reportedly having difficulties recovering from the ransomware attack.

The post European Airport Disruptions Caused by Ransomware Attack appeared first on SecurityWeek.

The cyberattack affected software of Collins Aerospace, whose systems help passengers check in, print boarding passes and bag tags, and dispatch their luggage.

The post Airport Cyberattack Disrupts More Flights Across Europe appeared first on SecurityWeek.

The disruptions to airport electronic systems meant that only manual check-in and boarding was possible.

The post Cyberattack Disrupts Check-In Systems at Major European Airports appeared first on SecurityWeek.

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.

The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”

While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.

This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices. 

“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop. 

“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added. 

SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said. 

“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added. 

SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm. 

Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”

SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.

Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said. 

“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.

Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks. 

Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.

The post Attack on SonicWall’s cloud portal exposes customers’ firewall configurations appeared first on CyberScoop.

After announcing that the cyberattack-caused disruption to factories would continue, Jaguar Land Rover is now confirming a data breach.

The post Jaguar Land Rover Admits Data Breach Caused by Recent Cyberattack appeared first on SecurityWeek.