Canada’s largest school board says personal student information dating back to 1985 may have been breached during a recent cybersecurity attack that impacted school boards across North America.
In an update today, the Toronto District School Board (TDSB) said medical information, health card numbers, and home addresses among other things could have been accessed by hackers in the widespread PowerSchool breach, which came to light on Jan. 7.
PowerSchool is a cloud-based program used by school boards to store student and staff information.
In a letter to parents and guardians, Interim Director of Education Stacey Zucker said the type of data accessed depends on when someone was a student at TDSB.
The board said information for pupils enrolled between September 1985 and December 2024 was accessed.
For TDSB students enrolled between Sept. 3, 1985 and Aug. 31, 2017, names, dates of birth, genders, health card numbers, home addresses and phone numbers, and other information may have been breached, the board said.
Those who attended a TDSB school between Sept. 2017 and Dec. 28, 2024 may have had their names, dates of birth, genders, health card numbers, medical information such as allergies, home addresses and phone numbers, residency information and more compromised, said the TDSB. Parent, guardian or caregiver information, as well as student emergency contacts could have also been accessed.
Medical information provided to the TDSB’s support services team, including psychologists, occupational therapists, physiotherapists, audiologists, speech language pathologists, and social workers, was not affected, it said.
Canada’s federal privacy watchdog and the Office of the Information and Privacy Commissioner of Ontario (OIPCO) are both investigating the breach.
“It is deeply concerning that sensitive personal information may have been exposed in this data breach. While public institutions like schools and school boards can outsource services to third party vendors, they cannot outsource accountability for protecting personal information,” the OIPCO said in a statement provided to CTV News Toronto.
20 Ontario school boards have reported cybersecurity incidents tied to the PowerSchool breach to the OIPCO.
PowerSchool, meanwhile, says it will be offering two years of complimentary identity protection services for all students and educators whose information was involved in the breach, as well as two years of complimentary credit monitoring services for all adult students and educators whose information was involved regardless of whether their Social Insurance Number was impacted.
The TDSB noted that it “does not store any Social Insurance Numbers, financial or banking information in the PowerSchool Student Information System, so that information was not affected in any way.”
In an interview with CP24 on Monday, TDSB spokesperson Ryan Bird said PowerSchool has “provided assurances to all school boards that they are confident the information has been deleted and has not been copied elsewhere or online.”
“We are still very concerned that this even happened. We have been working closely with PowerSchool to do everything we can on our end to make sure systems are secure,” he said.
In today’s update, the TDSB also assured current and former students that there is currently no ongoing unauthorized access to any data.