Approximately 1.5 million students, both current and former, at Canada’s largest school board, the Toronto District School Board, were impacted by a data breach of PowerSchool, a system used by schools across North America to store student and staff data. The breach, which was first reported by the online news site BleepingComputer, allegedly affected more than 62 million students and 9.5 million teachers across North America. Among the Canadian school boards impacted were the Peel District School Board and Calgary Board of Education.
The data breach of PowerSchool resulted in a leak of information dating back to 1985 for students who attended TDSB schools. Data such as health card numbers, home addresses, and phone numbers for students attending between 1985 and 2017 may have been impacted, while medical information, principal notes, and dates of birth for students attending between 2017 and December 2024 may have also been compromised. In addition to student data, some staff members at TDSB had their information exposed, including names, employee numbers, and email addresses. Among those affected were teachers, principals, office staff, superintendents, guidance counselors, and classroom support staff.
The PowerSchool data breach occurred between December 22 and 28, affecting schools in multiple provinces. The provider of the cloud software, based in the U.S., acknowledged that some personally identifiable information, such as social security numbers and medical information, was involved in the breach. Canada’s privacy commissioner, Philippe Dufresne, expressed concern about the potential impact of the incident on students’ personal information across the country and stated that his office was working to gather more information about the breach. PowerSchool has been working to identify those impacted by the breach, offering two years of complimentary identity protection services and credit monitoring for affected students.
In response to the data breach, Canada’s privacy commissioner has been communicating with PowerSchool to ensure compliance with Canadian privacy regulations. PowerSchool has acknowledged the significance of the incident and expressed regret that it occurred. The company has prioritized transparency and direct communication with its customers and assured that it is working with urgency to address the breach. While not intending to downplay the numbers reported by BleepingComputer, PowerSchool clarified that the majority of affected customers did not have their social security numbers exposed. The company stated that it is committed to providing support and protection for those impacted by the breach, including identity protection services and credit monitoring for applicable students.
Overall, the data breach of PowerSchool has had a significant impact on students and staff at the Toronto District School Board, as well as other school boards across Canada. The breach compromised a wide range of personal information dating back several decades, highlighting the importance of data security and protection in educational institutions. Both PowerSchool and regulatory authorities are working to address the breach, provide support to those affected, and ensure compliance with privacy regulations. The incident serves as a reminder of the potential risks associated with storing sensitive information in digital platforms and the need for robust cybersecurity measures to safeguard personal data.
