An investigation determined the Greater Toronto Area school boards impacted by a cyberattack late last year did not have “reasonable measures” to prevent unwanted access to personal information they collected and lacked “necessary oversight” to monitor PowerSchool’s obligations.
The Toronto District School Board (TDSB) experienced a data breach between Dec. 22 and 28, 2024, after PowerSchool—a cloud-based program used to store student and staff information—experienced a “cybersecurity incident” and a “threat actor” had demanded ransom. There were several other school boards across the GTA that were impacted by the cybersecurity incident, including Durham District School Board, Peel District School Board and York Regional District School Board.
PowerSchool is used to track student registration, attendance, as well as staff data management and provincial compliance reporting, among other things.
The educational portal said it paid a ransom, saying they had done so in an effort to prevent the public release of stolen data. However, another demand for ransom was made to various schoolboards, including the TDSB, on May 4, 2025.
Hoards of personal information—from health card numbers to home addresses—dating back to September 1985 may have been breached during the cybersecurity incident, the TDSB had previously said. Roughly 3.86 million Ontarians were impacted by the data breach, according to the Office of the Information and Privacy Commissioner (IPC), though approximately 5.2 million people were impacted across the country.
Twenty school boards across the province, as well as the Ministry of Education, reported cybersecurity incidents tied to the PowerSchool breach to the IPC. Schools in Alberta were also impacted by the data breach, prompting the two provincial commissioners to coordinate their investigations.
“This case is another stark reminder that while institutions may outsource some of their responsibilities to third party service providers, they cannot outsource their accountability for ensuring reasonable measures are in place to prevent unauthorized access to personal information I their custody or under their control,” Ontario’s Information and Privacy Commissioner Patricia Kosseim wrote in the new report.
The IPC concluded these school boards did not have “reasonable measures” in place to stop “unauthorized access to the personal information in their custody or control.” At the time of the cybersecurity incident, the IPC saw one school board not having a breach response plan at all. These sorts of measures depend on the records that need to be protected, Kosseim said, including their sensitivity, level of risk and the types of threats posed to them.
The IPC also found some school boards did not include certain privacy and security provisions in their agreements with PowerSchool and lacked policies to oversee their safeguards.
“In some cases, institutions over-collected sensitive personal information and retained personal information far longer than necessary by not implementing appropriate retention schedules and not regularly purging personal information accordingly,” Kosseim wrote in the report published Tuesday.
“This had the effect of exposing massive volumes of personal data to the threat actor and amplifying the real risk of significant harm to those individuals impacted.”
In a statement to CTV News Toronto, the TDSB said it takes the protection of student and staff information “very seriously”.
“While the TDSB has already put in place new measures since the cyber incident, we will be working closely with PowerSchool to address the recommendations outlined in the report to further strengthen the protection of personal information,” the TDSB’s Ryan Bird said.
How did the hackers access the information?
PowerSchool previously confirmed an unwanted actor was able to hack into the program through compromised credentials on PowerSource, which was used to log into the Student Information System (SIS). From there, the hacker downloaded the student and educator tables from the database, containing personal information.
The compromised credentials belonged to a former subcontractor working with PowerSchool, who had performed technical support.
The IPC expressed concerns that these compromised credentials were potentially used several times between Aug. 16 and Sept. 17, 2024, before being used again in December for the cyberattack.
A now 20-year-old man from Sterling, Mass., was sentenced in October to four years in prison after pleading guilty to the cyberextortion of two U.S.-based companies’ computer networks, including PowerSchool. The IPC notes the student demanded around US$2.85 million in Bitcoin as ransom to prevent him from leaking the information of more than 60 million students and 10 million teachers.
What did the IPC recommend?
The IPC recommends all institutions, who do not now comply with these recommendations, to limit the access to sensitive student information through PowerSource, as well as review PowerSchool’s security and information management policies to ensure the vulnerabilities that lead to the data breach have been addressed.
The privacy commissioner recommends reviewing agreements with PowerSchool, and renegotiating if there are no provisions upholding the privacy and security of personal, sensitive data.
The report also advises school boards immediately halt collecting unnecessary personal information, like Social Insurance Numbers and health card numbers, reviewing how long they hold that personal information in their systems and looking over their data breach response protocols.
All school boards have to provide the IPC proof that they have complied with all of the commissioner’s recommendations within six months from now, the report added.
“To address the serious vulnerabilities identified in this report in a comprehensive and consistent manner and to effectively mitigate the chances of such a cyberattack recurring, I believe it will take a highly coordinated, sector-wide approach,” Kosseim wrote, calling on all school boards to work collaboratively when negotiating agreements and asking those with more cybersecurity knowledge to share their expertise and analyses of a given education technology (ed-tech) provider.
Kosseim also implores the province to provide clearer guidance in how to use ed-tech at school, as a way of helping these boards with a coordinated approach in securing contracts, and deliver necessary cybersecurity training and resources, to “elevate the overall cyber resilience as a whole.”
The federal privacy watchdog discontinued its investigation into the breach, citing satisfaction with the company’s response and move to boost its security measures.
PowerSchool has said it will provide the commissioner with an independent security assessment and report by March 2026.
With files from Bryann Aguilar and Laura Sebben, and The Canadian Press
