Hey everyone. I'm Drex and this is the two minute drill. It's great to see everyone today. Here's some stuff you might wanna know about. Matthew Lane grew up in Massachusetts with a gift. He didn't quite know what to do with. By the time he was 14, he was hacking online games and not, it's not really cheating exactly.

More like he was exploring the possibility of what happens when you push the edge of the system when you. When you ask questions, the developers didn't quite anticipate and he got really good at it. And by the time he went to college, he was a dual major in cybersecurity and computer science. He was the kind of kid who, in a slightly different version of the story, ends up at a cybersecurity firm somewhere getting paid to find holes in software before the bad guys do.

But he described hacking as giving him quote, the most natural high ever. And he even used the word addicted when he talked about it. In September, 2024, lane came across a contractor's stolen credentials. This is the stuff that floats around the dark web forums and credentialed dump sites, a username and a password separated from whoever.

Actually, originally it belonged to. He used them to log into PowerSchool, one of the largest K through 12 education software companies in North America. PowerSchool manages student records and grades and attendance and personal information, and even some health information for school districts all across the United States and Canada.

He walked around inside their systems for a while and then he walked out with the data on nearly 70 million students and teachers. Families started freezing their children's credit. Districts from Massachusetts to California sent breach notifications, the kind that if you're a parent, land in your inbox and make your stomach drop.

PowerSchool paid the ransom somewhere around $3 million in Bitcoin, and then they spent months explaining to parents why their children's personal information had been in the hands of a stranger. Lane also hit US telecommunication companies using the same method. He found credentials on the dark web and he walked right into their networks.

Eventually, the FBI caught him and he pled guilty in November of 20, 25, 4 years in federal prison, $14 million in restitution, and he stood before the judge and he said something nobody expected to hear. He said, I'm thankful that I got caught. I honestly am thankful for the FBI and the DOJ because I probably would've never stopped.

He was 20 years old. There's a version of this story that ends a little differently where someone sees a 14-year-old kid probing the edges of an online games gaming server and thinks this kid needs direction, and then they take action. To help him get to the better version of this story where the cybersecurity degree was pursuing leads to something legitimate before the hacking high becomes something he can't walk away from.

That version didn't happen. Here's what I want healthcare execs to sit with, and it's not the scale of the breach. 70 million records is a shocking number, but it's kind of an abstraction. The real story to me is simpler and more unsettling than that. Matthew Lane didn't break anything. To get into these systems, to these companies, he used a contractor's stolen credentials, a username and a password sitting loose on the internet attached to someone who had legitimate access to power school systems.

He found those credentials, he used them and he walked through the front door like he belonged there. He didn't break in, he logged in. How many of your vendors have access to your systems right now? How many contractors have credentials that have been used, issued, and maybe rotated once, but never audited since?

How many people who used to have access still have it? Probably because nobody got around to removing it. And is everyone using MFA for every system? PowerSchool is a multi-billion dollar education technology company. They had contractors credentials floating loose on the internet and a 20-year-old with an addiction found them and use them.

The question isn't really whether your AI systems are sophisticated enough to fight Frontier ai. The question is whether you're doing the basics, all the fundamental security work, the open book test stuff to protect yourself, because if you've got the fundamentals down, you're way less likely to be hacked now and in the future.

That's it for today's two minute drill. I'd love to hear what you're thinking. Drop something in the comments or DM Me Return Fire. As always, welcome and as always, thanks for being here. Stay a little paranoid and I will see you around campus.