The Toronto District School Board (TDSB) announced that a recent cybersecurity breach affecting PowerSchool may have compromised personal student information from 1985 to 2024. The breach, discovered on January 7, has caused concern as it potentially impacts medical information, health card numbers, and home addresses.
Toronto school board reports cybersecurity breach affecting student data
PowerSchool serves as a cloud-based platform used by many school boards to retain student and staff records. In a communication to parents and guardians, Interim Director of Education Stacey Zucker explained that the specific details of the compromised data vary depending on a student’s enrollment period.
The TDSB reported that records for students enrolled from September 3, 1985, to August 31, 2017, may have included names, dates of birth, genders, health card numbers, home addresses, phone numbers, and additional information. For students who attended from September 2017 through December 28, 2024, the accessed information may include names, dates of birth, genders, health card numbers, medical records such as allergies, home addresses, phone numbers, residency information, as well as parent, guardian, or caregiver details, and emergency contact information.
Notably, the TDSB confirmed that medical information related to its support services team, which includes various health professionals, was not affected by the breach. Canadian privacy officials are currently investigating the incident.
In response to the breach, PowerSchool announced it will provide complimentary identity protection services for two years to all impacted students and educators, along with two years of credit monitoring for adult students and educators, irrespective of whether their Social Insurance Numbers were compromised. The TDSB has assured that it does not store Social Insurance Numbers or financial data within the PowerSchool system, indicating that such information remains secure.
“PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.”
-PowerSchool
TDSB spokesperson Ryan Bird stated that PowerSchool has assured all school boards that the compromised data has been deleted and not stored elsewhere. Bird expressed ongoing concerns regarding the breach and emphasized collaborative efforts with PowerSchool to enhance system security.
According to TechCrunch, Romy Backus, an administrator from the American School of Dubai, received a notification from PowerSchool about the breach and took immediate steps to understand its impact, as the initial communication did not specify which data was compromised. Backus noted a lack of actionable information, leading to confusion among school administrators who were trying to ascertain the extent of the breach. Administrators across various affected schools turned to each other for guidance, resulting in a noticeable surge in communication among users on their email listservs.
Backus utilized her technical knowledge to identify compromised data at her school and subsequently created a comprehensive guide for fellow administrators detailing the breach patterns and steps for investigation. This guide was shared widely across PowerSchool user forums, gathering thousands of views and becoming a critical resource for schools navigating the aftermath of the breach.
Doug Levin, co-founder of the K12 Security Information eXchange, noted the significance of such collaboration within the education community, particularly during large-scale incidents like the PowerSchool breach, as schools often lack robust cybersecurity resources.
PowerSchool spokesperson Beth Keebler acknowledged the supportive environment fostered among its customers, highlighting the cooperative efforts during the security crisis.
As of the latest update, the TDSB has assured current and former students that there is no ongoing unauthorized access to data.
Featured image credit: PowerSchool
