Canada’s largest school board and others across North America have received ransom demands connected to the massive PowerSchool cybersecurity breach that hit during the winter break — this after the company paid hackers a ransom to delete the stolen data.
Despite assurances that the data was deleted, it turns out that’s not the case, the Toronto District School Board (TDSB) said Wednesday.
The board said in an email to families on Wednesday it had received a ransom demand “from a threat actor” using data from the December 2024 breach.
Peel District School Board, west of Toronto, and the Calgary Board of Education, the largest in Western Canada, also alerted families about extortion attempts using the data, which was stolen after a PowerSchool administrator account used to provide technical support was compromised.
School divisions right across Canada — in Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island and Saskatchewan — primarily use the California company’s web-based system to manage student personal, and sometimes medical information, grades and other details. Some use it as a portal to communicate with families.
Different types of data — in some cases going back decades — were accessed in the breach. Depending on the board, that might have included names, birth dates, home address and phone numbers. In other cases, even more personal info such as student identification numbers, gender, medical info and emergency contacts might have been exposed.
The company said Wednesday its decision to pay the ransom had been difficult. The company did not say how much it paid.
“We believed it to be in the best interest of our customers and the students and communities we serve,” the company said in a statement, adding that the new ransom demands have been reported to U.S. and Canadian law enforcement.
“We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized.”
Both the Toronto and Calgary boards again encouraged families to pursue PowerSchool’s offer of credit monitoring and identity protection services.
This latest development is a “worst-case scenario come true,” technology analyst Carmi Levy said from London, Ont.
“Whenever a ransom is paid, that’s the risk you run and unfortunately in this case, they gambled and they lost.”
Data — including student information — has high value to cybercriminals, who can combine it with details stolen in other breaches to create a more fulsome package to be used for identity theft or financial attacks, Levy says.
“Even something as innocuous as the address of the home where we grew up or the names of our teachers when we were kids can be used to gain access to other accounts that do matter in the present day, like our bank accounts,” he said.
“This is highly damaging data, highly personal and — in the hands of a cybercriminal — can do some serious damage.”
When it comes to cybersecurity, “attackers only have to be successful once and defenders have to be successful… all of the time,” said Charles Finlay, executive director of the Rogers Cyber Secure Catalyst at Toronto Metropolitan University.
He says there’s much school boards can do to improve how they secure the data entrusted to them and to make cyberattacks “as difficult as possible and for these events to be as rare as possible.”
For Toronto parent Jack Ammendolia, school boards sending clear, honest and more regular updates would also be appreciated.
He has a son in Grade 2 and has been following the TDSB’s emails about this and other breaches for years.
“At this point, I think you start to lose confidence in those assurances,” he said. “It’s been a few times now.” The board was hit by another cyberattack in August.
Ammendolia reported the PowerSchool breach to the Information and Privacy Commissioner of Ontario as an individual, for instance, and says he’s since received an update that included some of the TDSB’s efforts to improve its data security.
He says he feels that’s information that should be shared widely with all parents, not just those who reached out to the privacy commissioner.
He says no one expects schools will prevent every cyberattack, but “hopefully there can be things in place to reduce the incidence rate [and] just letting parents know” more about them.
