The Toronto District School Board (TDSB) has informed parents and staff of a renewed cyber threat following a major data breach involving education technology giant PowerSchool. The extortion attempt, made public on Wednesday, comes weeks after PowerSchool claimed to have contained the initial December 2024 ransomware attack by paying off the hacker.
Despite that payment, the hacker has reemerged — this time demanding a ransom from school districts, including TDSB, using data obtained from the original data breach.
The Initial PowerSchool Data Breach
In late December 2024, between the 22nd and 28th, PowerSchool—an education technology company whose software is used by more than 6,500 school districts and institutions across North America—was compromised in a ransomware attack. The breach affected numerous schools, including Ontario’s largest school board, the TDSB.
PowerSchool notified its clients, including TDSB, of the incident on January 7, 2025. At the time, the company took swift action, including paying a ransom to the threat actor. In return, the hacker provided a video purportedly showing the deletion of the stolen data, leading PowerSchool to believe the threat had been neutralized.
The Second Extortion Attempt
However, that belief has now been challenged. On Wednesday, TDSB Director of Education Clayton La Touche sent a letter to parents, guardians, and staff, confirming that the board had received a new extortion message earlier in the week. The threat actor claimed to possess sensitive data obtained during the December breach and demanded another ransom.
We wanted to share an important update about a cyber incident experienced by the Toronto District School Board (TDSB) involving PowerSchool—the application used by TDSB and many school boards across North America to store a range of student information and a limited amount of school-based staff information,” La Touche wrote.
According to a source familiar with the investigation, TDSB is not the only organization being re-targeted. At least four school boards have reportedly received similar extortion messages. While PowerSchool has not confirmed the exact number of affected customers, the company did release a statement acknowledging the resurgence of threats and promising to support impacted clients.
TDSB’s Response
In response to the latest development, TDSB activated its cybersecurity response plan. The board has emphasized that it is working closely with PowerSchool to conduct a thorough investigation into the nature of the threat and determine the extent of the potential data compromise.
“At this point in time, we are still assessing the exact information that may have been accessed or exported from the application,” TDSB said. “PowerSchool has informed us that it has received confirmation that the data accessed by an unauthorized user has been deleted and that no copies of this data were posted online.”
Despite these assurances, the renewed extortion attempt has cast doubt on whether the data was ever truly deleted. The board has notified the Information and Privacy Commissioner of Ontario and assured stakeholders that any confirmed exposure of personal information will be disclosed promptly.
TDSB acknowledged the concern this news may cause within the community. “Please know that we are doing everything possible to learn more from PowerSchool about what occurred and will share that information with you,” the letter read.
PowerSchool’s Position
PowerSchool responded to the situation with a public statement reiterating that it does not believe this is a new breach. According to the company, the data samples provided in the latest extortion attempts match those stolen in December, suggesting the current threat is a continuation of the original incident.
The company has reported the matter to law enforcement agencies in both the United States and Canada and has alerted all customers using its Student Information System (SIS) of the development.
“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool stated.
The company also acknowledged the difficult decision it faced in paying the initial ransom. “We believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly,” the statement read.
Despite receiving a video showing the deletion of the data, PowerSchool admitted there was always a risk that the attacker would not honor the agreement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said.
Support Measures for Affected Communities
As part of its mitigation strategy, PowerSchool has made credit monitoring and identity protection services available for a two-year period to all students and faculty of its SIS customers, regardless of whether their individual data was affected.
These support services are meant to help school communities manage the fallout from potential data exposure, including the risk of identity theft or fraud. PowerSchool said it remains committed to transparency and is working diligently to regain the trust of its customers.
Broader Implications for the Education Sector
As investigations continue, TDSB and other affected school boards will need to evaluate their security measures, vendor relationships, and incident response strategies. Students examining cybersecurity threats in education may also seek help with research paper assignments that analyze incidents like this one and explore broader implications for data privacy in schools. Meanwhile, PowerSchool will be under pressure to improve its security posture and reassure stakeholders that it can prevent similar incidents in the future.
For now, parents, students, and staff are left in a state of uncertainty, awaiting clarity on whether their personal data has been exposed and how the situation will be resolved.
TDSB has pledged to keep its community informed as more information becomes available. “We will continue to update the community as more information becomes available,” La Touche affirmed in the letter to stakeholders.
