Canada

School boards hit with ransom demands linked to PowerSchool cyberattack

Canada's largest school board and others across North America have received ransom demands connected to the massive PowerSchool cybersecurity breach that hit during the winter break — this after the company paid hackers a ransom to delete the stolen data. 

Latest development is 'worst-case scenario come true,' says tech analyst

PowerSchool hacker extorting school districts

14 hours ago
Duration 2:00
Some parents learned Wednesday that their children’s personal information, stolen in last December’s PowerSchool data breach, was never deleted despite the company paying a ransom. With hackers still holding millions of student records, experts urge caution.

Canada's largest school board and others across North America have received ransom demands connected to the massive PowerSchool cybersecurity breach that hit during the winter break — this after the company paid hackers a ransom to delete the stolen data. 

Despite assurances that the data was deleted, it turns out that's not the case, the Toronto District School Board (TDSB) said Wednesday. 

The board said in an email to families on Wednesday it had received a ransom demand "from a threat actor" using data from the December 2024 breach. 

Peel District School Board, west of Toronto, and the Calgary Board of Education, the largest in Western Canada, also alerted families about extortion attempts using the data, which was stolen after a PowerSchool administrator account used to provide technical support was compromised. 

School divisions right across Canada — in Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island and Saskatchewan — primarily use the California company's web-based system to manage student personal, and sometimes medical information, grades and other details. Some use it as a portal to communicate with families.

Different types of data — in some cases going back decades — were accessed in the breach. Depending on the board, that might have included names, birth dates, home address and phone numbers. In other cases, even more personal info such as student identification numbers, gender, medical info and emergency contacts might have been exposed.

man
Tech analyst Carmi Levy calls the latest ransom demands a 'worst-case scenario come true.' (Submitted by Carmi Levy)

The company said Wednesday its decision to pay the ransom had been difficult. The company did not say how much it paid. 

"We believed it to be in the best interest of our customers and the students and communities we serve," the company said in a statement, adding that the new ransom demands have been reported to U.S. and Canadian law enforcement. 

"We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized."

Both the Toronto and Calgary boards again encouraged families to pursue PowerSchool's offer of credit monitoring and identity protection services.

'Some serious damage'

This latest development is a "worst-case scenario come true," technology analyst Carmi Levy said from London, Ont.

"Whenever a ransom is paid, that's the risk you run and unfortunately in this case, they gambled and they lost."

A man, blurred, walks in front of wall of servers
School boards can do more to secure their systems and make cyberattacks 'as difficult as possible,' says security expert Charles Finlay. (Evan Mitsui/CBC)

Data — including student information — has high value to cybercriminals, who can combine it with details stolen in other breaches to create a more fulsome package to be used for identity theft or financial attacks, Levy says.

"Even something as innocuous as the address of the home where we grew up or the names of our teachers when we were kids can be used to gain access to other accounts that do matter in the present day, like our bank accounts," he said. 

"This is highly damaging data, highly personal and — in the hands of a cybercriminal — can do some serious damage." 

More security, better communication needed

When it comes to cybersecurity, "attackers only have to be successful once and defenders have to be successful... all of the time," said Charles Finlay, executive director of the Rogers Cyber Secure Catalyst at Toronto Metropolitan University.

He says there's much school boards can do to improve how they secure the data entrusted to them and to make cyberattacks "as difficult as possible and for these events to be as rare as possible."

A bearded man in a red and blue checked shirt sits in an indoor living room, looking off-camera to the right.
Toronto parent Jack Ammendolia, whose son is in Grade 2, had already been wary about cyberattacks on schools before the PowerSchool incident. (CBC)

For Toronto parent Jack Ammendolia, school boards sending clear, honest and more regular updates would also be appreciated. 

He has a son in Grade 2 and has been following the TDSB's emails about this and other breaches for years. 

"At this point, I think you start to lose confidence in those assurances," he said. "It's been a few times now." The board was hit by another cyberattack in spring 2024.

Ammendolia reported that breach to the Information and Privacy Commissioner of Ontario as an individual, for instance, and says he's since received an update that included some of the TDSB's efforts to improve its data security.

He says he feels that's information that should be shared widely with all parents, not just those who reached out to the privacy commissioner. 

He says no one expects schools will prevent every cyberattack, but "hopefully there can be things in place to reduce the incidence rate [and] just letting parents know" more about them.

ABOUT THE AUTHOR

Jessica Wong

Senior Digital Writer

Based in Toronto, Jessica Wong is currently on assignment with CBC's Network Talk Radio Digital team. She covers Canadian education stories for CBC News. In a past life, she covered national and international arts and entertainment news. You can reach her at jessica.wong@cbc.ca.

With files from Jamie Strashin and Nazama Walji

Add some “good” to your morning and evening.

Start the day smarter. Get the CBC News Morning Brief, the essential news you need delivered to your inbox.

...

The next issue of CBC News Morning Brief will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.