TDSB Student Data Breach: Ransom Paid But Information Still Compromised

The Toronto District School Board is facing an escalating crisis as sensitive student information remains exposed despite ransom payment. Parents now receive direct extortion attempts as cybercriminals leverage stolen health records and personal data from Canada’s largest school district.

Ransom Payment Fails to Secure Student Data

The Toronto District School Board (TDSB) finds itself in a cybersecurity nightmare following revelations that sensitive student data remains compromised despite a ransom payment. The breach, initially detected in December 2024, has taken a more sinister turn as threat actors are now directly contacting the school board with new extortion demands.

What makes this situation particularly troubling is that PowerSchool, the software provider whose systems were breached, had previously assured stakeholders that paying the ransom would secure the destruction of stolen data. This promise has proven hollow, leaving decades of student records vulnerable.

Scope of Compromised Information

The breach has exposed highly sensitive student information dating back to 1985, including:

• Full student names
• Birth dates
• Health card numbers
• Detailed medical records
• Home addresses
• Parent/guardian contact details

TDSB officials have confirmed that social insurance numbers and financial information were not compromised, as these are not stored within the PowerSchool system.

PowerSchool’s Failed Mitigation Attempt

On May 7, 2025, PowerSchool acknowledged making what they termed a “difficult decision” to pay ransom to the attackers. The U.S.-based education technology company, which provides student information systems to schools throughout North America, defended this controversial move in a public statement:

“We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” the company explained. “It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action.”

Breach Discovery and Timeline

The attack vector has been identified as a compromised PowerSchool administrator account used for technical support purposes. This unauthorized access allowed hackers to extract various types of student data, some dating back nearly four decades.

The situation escalated around May 5-6, 2025, when TDSB officials received direct communication from cybercriminals demanding additional ransom payments. These demands explicitly referenced data from the December breach, confirming that the information had not been destroyed as previously claimed.

Widespread Impact Across Canadian Education System

The TDSB is not alone in facing these renewed threats. Other major Canadian educational institutions have reported similar extortion attempts, including:

• Peel District School Board
• Calgary Board of Education
• Several other school boards across the country

In response to these developments, PowerSchool has offered affected individuals two years of complimentary credit monitoring and identity protection services, regardless of whether they were specifically targeted.

Parent Responses and Eroding Trust

Parents have expressed growing frustration with how the breach has been handled. Jack Ammendolia, parent of a Grade 2 student, voiced concerns about diminishing confidence in school authorities.

“At this point, I think you start to lose confidence in those assurances. It’s been a few times now,” Ammendolia stated. He believes that information about security improvements should be shared transparently with all parents, not just those who have formally reported concerns to privacy officials.

Regulatory Response and Investigation

In February, the Canadian privacy watchdog launched a formal investigation into the PowerSchool data breach, signaling increased regulatory scrutiny of data protection practices in educational settings.

TDSB officials continue working closely with:

• PowerSchool security teams
• Law enforcement agencies
• The Privacy Commissioner of Ontario

Lessons for Educational Institutions

This incident serves as a stark reminder of the evolving threats facing schools in an increasingly digital environment. Educational institutions must prioritize:

1. Regular security audits of third-party software providers
2. Multi-factor authentication for all administrative accounts
3. Data minimization practices to reduce sensitive information storage
4. Transparent communication protocols for security incidents
5. Comprehensive incident response plans that don’t rely solely on ransom payments

The Future of School Data Security

As educational institutions increasingly rely on digital systems to manage student information, the TDSB case demonstrates the critical importance of robust security frameworks. Schools must balance the convenience of centralized data management with the responsibility to protect highly sensitive information about vulnerable populations.

The incident highlights why educational institutions need specialized cybersecurity approaches that acknowledge their unique risk profile: they possess valuable personal data but often operate with limited security resources compared to financial or healthcare organizations facing similar threats.

About PowerSchool

PowerSchool is a leading provider of cloud-based software for K-12 education, serving more than 45 million students across over 90 countries. The company’s products include student information systems, learning management tools, and assessment platforms designed specifically for educational environments. Founded in 1997 and headquartered in Folsom, California, PowerSchool became a publicly traded company in 2021. The company has acquired numerous education technology providers over the past decade to expand its service offerings across the education sector.