PowerSchool Data Breach Exposes Information of 1.5 Million Toronto Students, Past and Present

Nearly 1.5 million current and former students at Canada’s largest school board, the Toronto District School Board (TDSB), have been impacted by a data breach involving PowerSchool, a widely used platform for managing student and staff information across North America.

According to an email from TDSB spokesperson Emma Moynihan, approximately 1.49 million students were affected. “I can confirm approximately 1.49 million TDSB students were impacted,” Moynihan stated in response to inquiries from Global News. This confirmation aligns with numbers previously reported by the online news outlet BleepingComputer, which detailed the scale of the PowerSchool breach.

The breach reportedly affected over 62 million students and 9.5 million teachers across North America and beyond, though Global News has not independently verified these figures. Alongside the TDSB, other Canadian school boards, including the Peel District School Board and Calgary Board of Education, were also listed as being impacted. Peel did not respond to requests for confirmation, while Calgary is investigating the claim.

Scope of Impact

The compromised TDSB data dates back to 1985. Affected information includes:

• 1985-2017: Health card numbers, home addresses, and phone numbers.
• 2017-2024: Medical information, principal notes, and birth dates.

Staff data was also compromised, including first, middle, and last names, employee numbers, and TDSB email addresses. Those affected include teachers, principals, office staff, superintendents, guidance counselors, and classroom support staff such as educational assistants.

The breach, which occurred between December 22 and December 28, exposed data from multiple provinces.

PowerSchool and Privacy Commission Response

PowerSchool, a U.S.-based provider of cloud software, acknowledged on its website that personally identifiable information—such as social security numbers and medical data—was involved in the breach. The company stated it is working urgently to identify those affected and has offered two years of complimentary identity protection and credit monitoring services to impacted individuals.

Canada’s Privacy Commissioner Philippe Dufresne has expressed concern over the potential consequences of the breach. His office is working to gather more information and ensure PowerSchool complies with Canada’s privacy regulations regarding breach response and reporting.

In a statement to Global News, a PowerSchool spokesperson apologized for the incident, emphasizing the company’s commitment to transparency and direct communication with customers. While the company did not confirm the numbers reported by BleepingComputer, it indicated that the majority of affected customers—more than 75%—did not have social security numbers stolen.

This breach highlights the critical need for robust cybersecurity measures in education systems, especially those entrusted with sensitive student and staff information.