The Toronto District School Board (TDSB), Canada’s largest school district, confirmed this week that sensitive information spanning four decades was compromised in a major cyberattack against PowerSchool. The breach affects virtually every student who attended the board’s schools between September 1985 and December 2024.
Scope of the Data Exposure
The TDSB, which manages the education of approximately 240,000 students annually, utilized PowerSchool’s systems to archive historical records for former student requests. According to official correspondence sent to parents, the stolen dataset includes names, home addresses, dates of birth, and telephone numbers.
The severity of the incident varies by timeframe. While older records contain primary student identification details, files dating from 2017 onward also include contact information for parents and legal guardians, significantly increasing the risk of targeted phishing or identity-related fraud.
PowerSchool’s Response and Verification
In the wake of the intrusion, the TDSB reported that PowerSchool representatives claimed to have received confirmation from the unauthorized actors that the exfiltrated data had been deleted. However, this assertion remains unverified by independent security audits.
PowerSchool has yet to provide specific evidence or technical details regarding the nature of this “confirmation,” leaving many parents and stakeholders concerned about the permanent exposure of their children’s historical records. The school board continues to monitor the situation as the investigation into the extent of the unauthorized access persists.