The Toronto District School Board (TDSB) is grappling with the fallout from a significant cybersecurity breach that occurred in December 2024. Despite a ransom payment made by PowerSchool, the software provider involved, it was revealed that sensitive student data was not destroyed as previously assured. This alarming development has led to ransom demands from a threat actor using the compromised data, adding to the distress of parents and caregivers.
The breach, which affected the TDSB and several other school boards across Canada, involved unauthorized access to student information, including names, birth dates, health card numbers, and medical records dating back to 1985. However, it is important to note that social insurance numbers and financial information were not part of the compromised data, as TDSB does not store such sensitive information in PowerSchool.
PowerSchool, a U.S.-based company responsible for providing student information systems to schools throughout North America, confirmed on May 7, 2025, that it had paid a ransom in hopes of preventing the public release of the stolen data. In a statement, the company said, "We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action."
Despite these efforts, TDSB learned that the data had not been destroyed, as was previously claimed by PowerSchool. This revelation came to light around May 5-6, 2025, when the board received communication from a threat actor demanding ransom using the data from the December breach. The board expressed its concern, stating, "We appreciate that this news may be unsettling and understand the concern this may cause." TDSB is now working closely with PowerSchool, law enforcement, and the Privacy Commissioner of Ontario to address the situation and provide support to those affected.
Other school boards, including the Peel District School Board and the Calgary Board of Education, have also reported receiving ransom demands related to the breach. The breach stemmed from a compromised PowerSchool administrator account used for technical support, which allowed unauthorized access to various types of data, some of which date back decades.
In response to the breach, PowerSchool has offered two years of complimentary credit monitoring and identity protection services to those affected, regardless of whether they were individually involved. This measure aims to help mitigate potential risks associated with identity theft and financial fraud.
The ramifications of this incident are far-reaching. According to technology analyst Carmi Levy, the situation represents a "worst-case scenario come true." He explained, "Whenever a ransom is paid, that's the risk you run and unfortunately in this case, they gambled and they lost." Levy highlighted the high value of student data to cybercriminals, noting that even seemingly innocuous information, such as a home address or names of teachers, can be exploited for identity theft or financial attacks.
Moreover, the breach has raised concerns about the adequacy of cybersecurity measures in place at educational institutions. Charles Finlay, executive director of the Rogers Cyber Secure Catalyst at Toronto Metropolitan University, emphasized that school boards must take significant steps to enhance data security. "Attackers only have to be successful once and defenders have to be successful all of the time," he remarked, suggesting that proactive measures are essential to prevent such incidents.
Parents have expressed their concerns regarding the handling of this breach. Jack Ammendolia, a parent of a Grade 2 student, noted that clear and regular communication from school boards is crucial. He stated, "At this point, I think you start to lose confidence in those assurances. It's been a few times now." Ammendolia has been following TDSB's updates about cybersecurity incidents and believes that information about security improvements should be shared widely with all parents, not just those who have reported breaches to the privacy commissioner.
In the wake of this incident, the TDSB and other affected school boards are facing increased scrutiny regarding their data protection practices. The Canadian privacy watchdog announced in February that a formal investigation into the PowerSchool data breach had been launched, highlighting the need for accountability and transparency in handling such sensitive information.
As the situation continues to develop, TDSB officials are working diligently to address the concerns of parents and caregivers while collaborating with authorities to ensure the safety and privacy of student data. The incident serves as a stark reminder of the vulnerabilities educational institutions face in an increasingly digital world, emphasizing the need for robust cybersecurity measures and effective communication strategies.
In conclusion, the TDSB's experience with the PowerSchool breach underscores the importance of vigilance in protecting sensitive information. As schools navigate the complexities of cybersecurity, it is essential for them to prioritize the safety of their students' data and maintain open lines of communication with the communities they serve.
