Toronto school district says data not deleted after ransom was paid to hacker
The Toronto District School Board (TDSB) told parents and staff on Wednesday that it was sent an extortion letter even after a hacker was paid off by the ed tech giant PowerSchool to prevent the leak of sensitive data.
PowerSchool’s December hack impacted more than 6,500 school districts or individual schools, including Toronto’s school system. After paying the hacker a ransom, PowerSchool previously said it believed the incident had been “contained” because the hacker turned over a video showing the data being deleted.
That promise seems to have not been kept.
A letter sent to all parents and staff on Wednesday by TDSB Director of Education Clayton La Touche advised that earlier this week officials “received a communication from a threat actor demanding a ransom using data from the previously reported December 2024 incident.”
La Touche told parents that while PowerSchool had “informed school boards that the data accessed by an unauthorized user had been deleted and that no copies of this data were posted online … there was a risk that the threat actors would not honor their commitment to delete the stolen data, despite assurances provided to PowerSchool.”
The letter did not address whether TDSB intends to pay the ransom demanded by the hacker.
A source familiar with the investigation who is not authorized to speak publicly about the new extortion demands on Wednesday told Recorded Future News that four school boards have recently been contacted with individual solicitations for ransom payments.
On Wednesday, PowerSchool said “we sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” though it did not comment specifically on the Toronto incident.
The Toronto school system currently serves about 235,000 students in 582 schools.
In a previous communication to parents, the school board revealed that personal data going back to 1985 had potentially been breached.
TDSB has told parents and staff that the types of information stored in the breached system includes names, dates of birth, health care numbers, special ed accommodations, medical information, residency status, disciplinary notes and home and email addresses, according to its web page.
The hacked medical information may include any disorders parents made schools aware of when enrolling their child, TDSB has said.
The TDSB said it is working closely with law enforcement, PowerSchool and the Ontario Privacy Commissioner to support impacted individuals.
Last August, TDSB revealed that it had been hit with a separate ransomware in June which involved student data. The LockBit ransomware gang ultimately claimed responsibility for the attack and demanded TDSB pay a ransom within 13 days.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.