The 90-Day Gap: How Bain Capital Bought a Breach
In January, I warned my daughter’s school district that the PowerSchool breach was more than just a leak. And again in May. Today, federal charges vindicated both of my concerns.
Audio Log: Listen to my real-time, human analysis reflecting on January 2025 when I became aware Powerschool SIS data had been breached, and in May flagging the CrowdStrike anomaly months before the federal charges confirmed it.
The Vindication: United States v. Matthew Lane
Recently, the Department of Justice unsealed charges against Matthew D. Lane revealing details of the charges prosecutors found him guilty of in October 2025.
In October, he was sentenced, and if you care about your children’s privacy, you need to read it.
In it, Lane is charged with with (4) counts of cyber-crimes related to both (Victim 1) and Powerschool (Victim 2)
Count One: Cyber Extortion Conspiracy (18 U.S.C. § 371)
Count Two: Cyber Extortion (18 U.S.C. §§ 1030(a)(7)(B), (c)(3)(A) and 2)
Count Three: Unauthorized Access to Protected Computers (18 U.S.C. §§ 1030(a)(2)(C), (c)(2)(B)(i), (ii), and (iii), and 2)
Count Four: Aggravated Identity Theft (18 U.S.C. § 1028A(a)(1))
The government’s sentencing memorandum strips away the corporate PR spin and reveals a timeline of negligence that is staggering.
The Official Timeline (According to the DOJ):
September 4, 2024: Lane uses compromised credentials (User ID ending in
00A0) to gain unauthorized access to PowerSchool’s network.December 19, 2024: Lane leases a server in Russian controlled territory of Ukraine.
December 20, 2024: Lane exfiltrates the massive database—Social Security numbers, medical information, and dates of birth—to that server.
The Missing Detail: Between the break-in (September) and the theft (December), something massive happened in the corporate world. On October 1, 2024, Bain Capital completed its $5.6 billion acquisition of PowerSchool, taking the company private.
And even earlier, in June 2024, Bain announced their intention to acquire Powerschool on their website.
The Bain Capital Shield
Listen to the audio recording above. Months ago, I analyzed the forensic reports and pointed out a glaring anomaly: Why did the CrowdStrike report anchor the “initial compromise” to August 2024?
The federal charges now illuminate the strategy. By pinning the vulnerability to August/September (Pre-Acquisition), the narrative shifts. It suggests the breach was a “legacy issue”—a broken window inherited by Bain Capital—rather than a failure of the new owners to secure the house they just bought.
The Reality: For the first 90 days of Bain Capital’s ownership—the exact window of the transition—a hacker sat inside the network. The account he used to steal the data of millions of children was not secured with Multi-Factor Authentication (MFA). The door was unlocked in September. Bain bought the house in October. And they didn’t change the locks before the robber emptied it in December.
The Real Timeline:
September 4, 2024: Lane uses compromised credentials to walk right into PowerSchool’s network.
December 20, 2024: Lane finally exfiltrates the massive database—Social Security numbers, medical histories, home addresses—to a server in Russian-controlled territory of Ukraine.
He sat inside the system for three months. He had the keys to the castle, and nobody changed the locks.
Here is the detail the press releases missed. In October 2024—right in the middle of that three-month window—Bain Capital finalized its $5.6 billion acquisition of PowerSchool.
When the forensic reports came out, they oddly anchored the “initial compromise” to August/September . Why emphasize a date before the hack really popped off? Because it creates a liability firewall.
September (Pre-Acquisition): The door is left unlocked.
October (Acquisition): Bain moves in.
December (The Robbery): The house is emptied.
By pointing to September, the narrative becomes: “This was a legacy issue. It happened before we got here.”
But the DOJ facts imply something far worse: For the first 90 days of Bain’s ownership, the most sensitive database in American education was arguably left unguarded, without basic Multi-Factor Authentication (MFA) on critical support accounts .
“Worry About Yourself”
It is important to understand the context of my fear. I wasn’t just dealing with PowerSchool.
In March—just weeks after I raised the alarm—Yale New Haven Health notified my family that we had been hit on a second front. My two youngest sons’ information had been breached. Mine, their mothers’. SSN’s for the adults, no kids.
I was living in a digital crossfire. One breach threatening my nephew’s future, another exposing my daughter’s and sons’ identities.
So when I pressed my concerns to a neighbor—who happens to be friendly with the Secretary to the President of Yale—I was looking for an ally. I was looking for someone who understood the institutional failure happening around us.
Instead, she looked at me and said, “You’re going crazy, Evan... worry about yourself. my friend told me this was no big deal”
It was the perfect summary of the modern era. While our children’s data was being siphoned off to servers in Russian controlled territory of Ukraine and sold on the dark web, the institutions responsible for protecting them—from Bain Capital to the Ivy League—had the same advice: Stop complaining. Worry about yourself.
The Weaponized Future
I didn’t write those warnings in January to be right. I wrote them because I know what that data is for. Matthew Lane didn’t steal credit cards. He stole human telemetry. The behavioral flags, the medical accommodations, the attendance records—this is the raw material used to build psychological profiles. It is the data used to target a 9-year-old boy with content designed to radicalize or depress him.
The DOJ charges prove the breach was preventable. The timeline proves that corporate liability was prioritized over student safety. And the silence from our schools proves that apathy is the true vulnerability.
I’m not “crazy.” I’m a father who reads the fine print. And it’s time you started reading it too.