Student and staff personal information stolen during the cyberattack four months ago has not been destroyed despite a ransom being paid, the Toronto District School Board said on Wednesday.
The board also revealed that it became aware of the circumstance this week after a “threat actor” made a separate ransom demand in exchange for the stolen data.
The TDSB provided the update on the PowerSchool data breach, which occurred between Dec. 22 and 28, 2024, in Wednesday letters to parents, guardians, and school staff.
PowerSchool is a cloud-based program used by the TDSB and other North American school districts to store student and staff information.
The TDSB said PowerSchool informed all impacted school boards shortly after the incident that data illegally accessed had been deleted and no copies were posted online.
The software company did not disclose how it managed to do that until this week, when it confirmed to school boards that they paid a ransom.
“PowerSchool has now confirmed that they have paid a ransom in an attempt to secure deletion of the impacted data. As with any such incident, there was a risk that the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool,” the TDSB letter read.
The sensitive information was not indeed erased, as it was used this week to extort schools, including the TDSB.
“Earlier this week, TDSB was made aware that the data was not destroyed. TDSB, along with other North American school boards, received a communication from a threat actor demanding a ransom using data from the previously reported December 2024 incident,” the letter read.
PowerSchool, in a separate statement on Wednesday, said it was aware of the new ransom demands and has reported the matter to Canadian and American authorities.
“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the software company said.
In their statement, the company explained that it paid a ransom “in the days following” the cyberattack, believing that it was “in the best interest of our customers and the students and communities we serve.”
PowerSchool acknowledged the risk that those responsible would not destroy the data but said, “We felt it was our duty to take that action.” They did not disclose how much they paid.
During a technical briefing in January, a PowerSchool official said an unauthorized actor was able to hack into the system and download data through compromised credentials.
What info was stolen in the breach?
The TDSB has said that personal student information dating back to 1985 was affected by the breach, including names, dates of birth, gender, health card numbers, home addresses, home phone numbers, and school emails.
If students provided medical information to document an allergy, illness, or condition, it was also likely affected by the breach, the TDSB said.
Staff names, employee numbers, and school email addresses were also stolen during the attack. The TDSB added that the personal numbers and home addresses of about 350 staff members could have been acquired by hackers.
The school board noted that financial or banking information as well as social insurance numbers were not stored in the system, thus were not stolen.
“We appreciate that this news may be unsettling and understand the concern this may cause,” the TDSB said.
“We remain committed to working closely with PowerSchool, law enforcement and the Information and Privacy Commissioner of Ontario to provide support in any way we can.”
With files from CTV Toronto’s Alex Arsenych
