School boards hit with ransom demands linked to PowerSchool cyberattack

Jessica Wong · CBC News

· Posted: May 07, 2025 9:06 PM EDT | Last Updated: 44 minutes ago

Canada's largest schoolhouse committee and others crossed North America person received ransom demands connected to the monolithic PowerSchool cybersecurity breach that deed during the wintertime interruption — this aft the institution paid hackers a ransom to delete the stolen data. 

Despite assurances that the information was deleted, it turns retired that's not the case, the Toronto District School Board (TDSB) said Wednesday. 

The committee said successful an email to families connected Wednesday it had received a ransom request "from a menace actor" using information from the December 2024 breach. 

Peel District School Board, westbound of Toronto, and the Calgary Board of Education, the largest successful Western Canada, besides alerted families astir extortion attempts utilizing the data, which was stolen after a PowerSchool head relationship utilized to supply method enactment was compromised. 

School divisions close crossed Canada — successful Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island and Saskatchewan — chiefly usage the California company's web-based strategy to manage pupil personal, and sometimes aesculapian information, grades and different details. Some usage it arsenic a portal to pass with families.

Different types of information — in immoderate cases going backmost decades — were accessed successful the breach. Depending connected the board, that mightiness person included names, commencement dates, location code and telephone numbers. In different cases, adjacent much idiosyncratic info specified arsenic pupil recognition numbers, gender, aesculapian info and exigency contacts mightiness person been exposed.

The institution said Wednesday its determination to wage the ransom had been difficult. The institution did not accidental however overmuch it paid. 

"We believed it to beryllium successful the champion involvement of our customers and the students and communities we serve," the institution said successful a statement, adding that the caller ransom demands person been reported to U.S. and Canadian instrumentality enforcement. 

"We sincerely regret these developments — it pains america that our customers are being threatened and re-victimized."

Both the Toronto and Calgary boards again encouraged families to prosecute PowerSchool's connection of recognition monitoring and individuality extortion services.

'Some superior damage'

This latest improvement is simply a "worst-case script travel true," exertion expert Carmi Levy said from London, Ont.

"Whenever a ransom is paid, that's the hazard you tally and unluckily successful this case, they gambled and they lost."

Data — including pupil accusation — has precocious worth to cybercriminals, who tin harvester it with details stolen successful different breaches to make a much fulsome bundle to beryllium utilized for individuality theft oregon fiscal attacks, Levy says.

"Even thing arsenic innocuous arsenic the code of the location wherever we grew up oregon the names of our teachers erstwhile we were kids tin beryllium utilized to summation entree to different accounts that bash substance successful the contiguous day, similar our slope accounts," helium said. 

"This is highly damaging data, highly idiosyncratic and — successful the hands of a cybercriminal — tin bash immoderate superior damage." 

More security, amended connection needed

When it comes to cybersecurity, "attackers lone person to beryllium palmy erstwhile and defenders person to beryllium successful... each of the time," said Charles Finlay, enforcement manager of the Rogers Cyber Secure Catalyst astatine Toronto Metropolitan University.

He says there's overmuch schoolhouse boards tin bash to amended however they unafraid the information entrusted to them and to marque cyberattacks "as hard arsenic imaginable and for these events to beryllium arsenic uncommon arsenic possible."

For Toronto genitor Jack Ammendolia, schoolhouse boards sending clear, honorable and much regular updates would besides beryllium appreciated. 

He has a lad successful Grade 2 and has been pursuing the TDSB's emails astir this and different breaches for years. 

"At this point, I deliberation you commencement to suffer assurance successful those assurances," helium said. "It's been a fewer times now." The committee was deed by different cyberattack successful August.

Ammendolia reported the PowerSchool breach to the Information and Privacy Commissioner of Ontario arsenic an individual, for instance, and says he's since received an update that included immoderate of the TDSB's efforts to amended its information security.

He says helium feels that's accusation that should beryllium shared wide with each parents, not conscionable those who reached retired to the privateness commissioner. 

He says nary 1 expects schools volition forestall each cyberattack, but "hopefully determination tin beryllium things successful spot to trim the incidence complaint [and] conscionable letting parents know" much astir them.