LATEST STORIES:

Toronto District School Board says it got a ransom demand over stolen student data

Four small modular reactors at Darlington to cost $21 billion to build

Niagara police arrest man and woman on drugs and gun charges

Police investigation in Brantford closes parts of Henry Street

Study finds no evidence to support New Brunswick’s mystery brain disease

Peel Public Health warns of possible measles exposure on Seattle to Toronto flight

Toronto District School Board says it got a ransom demand over stolen student data

  • Updated:
A man uses a computer keyboard in Toronto, Monday, Oct. 9, 2023 in this photo illustration (Graeme Roy/The Canadian Press).
Share this story...

TORONTO — Canada’s largest school board says it has received a ransom demand over student data that was stolen last December, even though the company behind the affected software paid ransom in hopes of securing that information.

The Toronto District School Board said in a letter to parents and caregivers on Wednesday that it recently learned the data was not destroyed and that a “threat actor” has demanded ransom.

PowerSchool, the United States-based software company that provides the student information system to schools across North America, confirmed Wednesday that it paid a ransom after the December 2024 breach, in hopes of preventing public release of the stolen data.

“We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” it said in a statement.

“It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

READ MORE: Kids at east Hamilton elementary school enjoy guest-filled Career Day

PowerSchool has previously told school boards in Newfoundland and Labrador, Nova Scotia, Ontario, Alberta and elsewhere that it had experienced a data breach between Dec. 22 and 28.

The type of data stolen depends on the school board and in TDSB’s case, that may include students’ birthdays, addresses, health card numbers, emergency contacts and some medical information stored since September 2017.

“TDSB does not store any Social Insurance Numbers, financial or banking information in PowerSchool, so that information was not affected in any way by the breach,” the school board’s letter said.

PowerSchool said it’s aware “that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident.”

The matter has been reported to law enforcement agencies in Canada and the United States, it said.

“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

Nova Scotia’s Education Department has previously said that the breach could have a financial impact on some former and current teachers and staff, since some social insurance numbers collected before 2010 were included in the stolen data.

Canada’s privacy watchdog announced in February a formal investigation into the PowerSchool data breach.

The Toronto District School Board said that while the latest development in the case may be “unsettling,” it is working closely with the company, law enforcement and the provincial privacy commissioner to support those affected.

PowerSchool is offering two years of credit monitoring and identity protection services for students and faculty in affected school boards, “regardless of whether they were individually involved.”

This report by The Canadian Press was first published May 7, 2025.

Related Stories