Toronto District School Board
Skip to main content

PowerSchool Cyber Incident

 

 


On Tuesday, January 7, 2025, PowerSchool notified TDSB and other school boards in Ontario and across North America that a PowerSchool system had experienced a data breach between December 22-28, 2024.

The safety and security of student and staff information continues to be our top priority. These Frequently Asked Questions have been developed for your information and they will continue to be updated as more information becomes available. Community updates will also continue to be posted here and you may wish to view FAQs from PowerSchool.

TDSB Communication and Breach Notification Letters:

January 8, 2025: Letter to Parents, Guardians and Caregivers re: PowerSchool Cyber Incident 
January 8, 2025: Letter to Staff re: PowerSchool Cyber Incident
January 20, 2025: Letter to Parents, Guardians and Caregivers re: Power School Cyber Incident - Data Breach Notice
January 20, 2025: Letter to Staff re: Update on PowerSchool Cyber Incident - Data Breach Notice
January 20, 2025: Letter to Staff re: Update on PowerSchool Cyber Incident - Data Breach Notice

 

FAQs

Q: What is PowerSchool?

PowerSchool is the platform used by TDSB and many school boards across North America to store a range of student information and a limited amount of school-based staff information. The type of information entered varies from one school board to another.


Q: Where was the breached information stored?

The information that was breached was housed in PowerSchool’s Student Information System (“SIS”) cloud and was not directly accessed through the TDSB.


Q: How is TDSB responding?

TDSB’s cybersecurity team promptly activated our response plan, taking immediate steps to ensure that our critical systems remain operational and secure. TDSB can confirm that our environment is secure, and that there is no ongoing unauthorized access to any data, either stored in the PowerSchool Student Information System or elsewhere. TDSB has also notified the Information and Privacy Commissioner of Ontario and is consulting with them on this issue.


Q: What type of student information was affected?

While our investigation with PowerSchool continues, we have now confirmed the types of personal information stored in PowerSchool's Student Information System that may have been accessed and acquired by an unauthorized user. The information includes the following:

Students between September 1, 2017 and December 28, 2024

  • First, Middle & Last Names
  • Date of Birth
  • Gender
  • Health Card Number
  • Grade Level and School Information
  • Start/End Date as a Student
  • Ontario Education Number
  • EQAO Accommodation Information
  • Medical Information (ie. allergies, conditions, injuries)
  • Home Addresses
  • Home Phone Numbers
  • TDSB Student Number
  • TDSB Email Address
  • First Nations, Métis, Inuit Information
  • Residency Status
  • Principal/Vice Principal Notes (including discipline notes)
 

Students between September 3, 1985 and August 31, 2017

  • First, Middle & Last Names
  • Date of Birth
  • Gender
  • Health Card Number
  • Ontario Education Number
  • Home Addresses
  • Home Phone Numbers
  • TDSB Student Number
  • TDSB Email Address
  • First Nations, Métis, Inuit Information

Q: What type of parent/guardian/caregiver information was affected?
 

Current Parent/guardian/caregiver and emergency contact information (Parents of students who were registered in the 2017/2018 school year or later)

  • First, Middle & Last Names
  • Home & Mobile Phone Numbers
  • Email Addresses
  • Relationship to Student
  • Home Addresses

Q: What type of staff information was affected?

While our investigation with PowerSchool continues, we have now confirmed that some staff information stored in PowerSchool’s Student Information System may have been accessed and acquired by an unauthorized user.

Staff who fall within the following categories are impacted by this incident:

  • Principals and Vice-Principals
  • Teachers
  • Gender
  • Classroom support staff (eg. Educational Assistants, Dedicated Early Childhood Educators, Child and Youth Workers, Special Needs Assistants)
  • Office Staff (Office Administrators, Assistants, Secretaries)
  • Guidance Counsellors
  • Superintendents
  • Administrative Liaisons
 

Note that School-Based Safety Monitors, Caretakers and Lunchroom Supervisors were not impacted.

The information includes the following:

  • First, Middle & Last Names
  • Employee Number
  • TDSB Email Address
 

In addition to this information, a very limited number (approximately 350) of staff members’ personal phone number or home address was stored in PowerSchool’s Student Information System.


Q: Was financial and other school based information affected?

No. The following information is not stored in PowerSchool’s Student Information System and was not affected by this cyber incident:

  • Financial or Credit Card Information
  • Social Insurance Number
  • Individual Education Plans (IEP)
  • Attendance records
  • Achievement Information, Report Card Marks or Comments
  • Student Photos

Q: What Steps Have Been Taken to Protect Privacy?

PowerSchool shared with its customers that they have taken a number of steps in response to the incident, including:

  • Changing the passwords for all their staff who access the platform
  • Increasing the password strength requirements of PowerSchool staff passwords
  • Contacted law enforcement
  • Brought in two security companies to assist with responding to the breach

Q: Was my medical information affected?

If you provided your medical information to TDSB to document an allergy, illness or condition, your medical information was likely affected by the data breach. Please note that medical information does not include information from your Ontario Student Record or medical information provided to members of TDSB’s Professional Support Services team (e.g. Psychologists, Occupational Therapists, Physiotherapists, Audiologists, Speech-Language Pathologists, and Social Workers). This information was not impacted by this incident.


Q: Why would TDSB have my health card number?

Health card numbers were originally collected to use in the event that a student requires urgent medical attention during the school day. TDSB has taken steps to delete all health card information for current and previous students. Moving forward, TDSB will not be collecting this information. Of note, many older health cards (including the old red and white cards) would have expired since they were recorded in TDSB’s system.


Q: Why does the TDSB keep the records of former students?

This historical student information is kept in PowerSchool’s Student Information System in order to respond to requests for former student records (transcripts).


Q: Are TDSB operations affected?

No. Everything is working normally, and your child's education will not be disrupted.


Q: Will credit monitoring/identity theft protection be provided for affected individuals?

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. They are doing this despite the fact that no TDSB student or educator Social Insurance Numbers were impacted by this incident.

In the coming days, PowerSchool will be providing additional information on how to sign up for these services and it will be posted on this page. TDSB will update this FAQ as more information becomes available.


Q: Who can I contact if I have further questions about this incident?

For questions around the PowerSchool Cyber Incident, please contact
cyberincident@tdsb.on.ca.


Q: Can you confirm if my or my child’s information was accessed?

If you were a student at TDSB between September 3, 1985 and December 28, 2024, you were impacted by this incident. Please see the information provided in the FAQ on this page under: “What type of student information was affected?” The student information affected depends on which year(s) you were registered as a student at TDSB.