Canada’s largest school board has informed its staff and students that some of their personal information stolen during a cyberattack late last year remains in the possession of the hackers, even after a ransom was paid.

On Wednesday, in a letter to parents, guardians, and staff, the Toronto District School Board (TDSB) provided the update on the PowerSchool data breach, which occurred between Dec. 22 and 28, 2024.

PowerSchool is a cloud-based program used by the TDSB and other GTA school boards to store student and staff information.

The TDSB said PowerSchool confirmed to the board that they paid ransom hoping that the stolen data gets deleted.

“As with any such incident, there was a risk that the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool. Earlier this week, TDSB was made aware that the data was not destroyed,” the board wrote in the letter.

“We appreciate that this news may be unsettling and understand the concern this may cause. We remain committed to working closely with PowerSchool, law enforcement and the Information and Privacy Commissioner of Ontario to provide support in any way we can.”

The TDSB has said that personal student information dating back to 1985 was affected by the breach, including names, dates of birth, gender, health card numbers, home addresses, home phone numbers, and school emails.

If students provided medical information to document an allergy, illness, or condition, it was also likely affected by the breach, the TDSB said.

Staff names, employee numbers, and school email addresses were also stolen during the attack. The TDSB added that the personal numbers and home addresses of about 350 staff members could have been acquired by hackers.

The school board noted that financial or banking information as well as social insurance numbers were not stored in the system, thus were not stolen.

During a technical briefing in January, a PowerSchool official said an unauthorized actor was able to hack into the system and download data through compromised credentials.

