Full Report
The Toronto District School Board (TDSB) has informed parents and staff of a renewed cyber threat following a major data breach involving education technology giant PowerSchool. The extortion attempt, made public on Wednesday, comes weeks after PowerSchool claimed to have contained the initial December 2024 ransomware attack by paying off the hacker. Despite that payment, the hacker has reemerged — this time demanding a ransom from school districts, including TDSB, using data obtained from the original data breach. The Initial PowerSchool Data Breach In late December 2024, between the 22nd and 28th, PowerSchool—an education technology company whose software is used by more than 6,500 school districts and institutions across North America—was compromised in a ransomware attack. The breach affected numerous schools, including Ontario’s largest school board, the TDSB. PowerSchool notified its clients, including TDSB, of the incident on January 7, 2025. At the time, the company took swift action, including paying a ransom to the threat actor. In return, the hacker provided a video purportedly showing the deletion of the stolen data, leading PowerSchool to believe the threat had been neutralized. The Second Extortion Attempt However, that belief has now been challenged. On Wednesday, TDSB Director of Education Clayton La Touche sent a letter to parents, guardians, and staff, confirming that the board had received a new extortion message earlier in the week. The threat actor claimed to possess sensitive data obtained during the December breach and demanded another ransom. We wanted to share an important update about a cyber incident experienced by the Toronto District School Board (TDSB) involving PowerSchool—the application used by TDSB and many school boards across North America to store a range of student information and a limited amount of school-based staff information," La Touche wrote. According to a source familiar with the investigation, TDSB is not the only organization being re-targeted. At least four school boards have reportedly received similar extortion messages. While PowerSchool has not confirmed the exact number of affected customers, the company did release a statement acknowledging the resurgence of threats and promising to support impacted clients. TDSB’s Response In response to the latest development, TDSB activated its cybersecurity response plan. The board has emphasized that it is working closely with PowerSchool to conduct a thorough investigation into the nature of the threat and determine the extent of the potential data compromise. “At this point in time, we are still assessing the exact information that may have been accessed or exported from the application,” TDSB said. “PowerSchool has informed us that it has received confirmation that the data accessed by an unauthorized user has been deleted and that no copies of this data were posted online.” Despite these assurances, the renewed extortion attempt has cast doubt on whether the data was ever truly deleted. The board has notified the Information and Privacy Commissioner of Ontario and assured stakeholders that any confirmed exposure of personal information will be disclosed promptly. TDSB acknowledged the concern this news may cause within the community. “Please know that we are doing everything possible to learn more from PowerSchool about what occurred and will share that information with you,” the letter read. PowerSchool’s Position PowerSchool responded to the situation with a public statement reiterating that it does not believe this is a new breach. According to the company, the data samples provided in the latest extortion attempts match those stolen in December, suggesting the current threat is a continuation of the original incident. The company has reported the matter to law enforcement agencies in both the United States and Canada and has alerted all customers using its Student Information System (SIS) of the development. "We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors," PowerSchool stated. The company also acknowledged the difficult decision it faced in paying the initial ransom. “We believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly,” the statement read. Despite receiving a video showing the deletion of the data, PowerSchool admitted there was always a risk that the attacker would not honor the agreement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said. Support Measures for Affected Communities As part of its mitigation strategy, PowerSchool has made credit monitoring and identity protection services available for a two-year period to all students and faculty of its SIS customers, regardless of whether their individual data was affected. These support services are meant to help school communities manage the fallout from potential data exposure, including the risk of identity theft or fraud. PowerSchool said it remains committed to transparency and is working diligently to regain the trust of its customers. Broader Implications for the Education Sector As investigations continue, TDSB and other affected school boards will need to evaluate their security measures, vendor relationships, and incident response strategies. Meanwhile, PowerSchool will be under pressure to improve its security posture and reassure stakeholders that it can prevent similar incidents in the future. For now, parents, students, and staff are left in a state of uncertainty, awaiting clarity on whether their personal data has been exposed and how the situation will be resolved. TDSB has pledged to keep its community informed as more information becomes available. “We will continue to update the community as more information becomes available,” La Touche affirmed in the letter to stakeholders.
Analysis Summary
# Incident Report: PowerSchool Data Breach and TDSB Extortion
## Executive Summary
A significant data breach occurred involving the PowerSchool student information system (SIS), which subsequently led to an extortion attempt targeting the Toronto District School Board (TDSB). Attackers successfully exfiltrated sensitive data, forcing PowerSchool victims to offer credit monitoring services amid uncertainty regarding the attackers' compliance with deletion assurances. The primary impact is the potential exposure of student and faculty data, requiring extensive identity protection measures for affected communities.
## Incident Details
- **Discovery Date:** Not explicitly stated, implied around May 9, 2025, based on publication date.
- **Incident Date:** Not precisely stated (when the breach occurred).
- **Affected Organization:** PowerSchool (the vendor); Toronto District School Board (TDSB) is a primary affected customer.
- **Sector:** Education Technology/K-12 Education.
- **Geography:** North America (TDSB is in Toronto, Canada).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Indirect impact via compromise of the PowerSchool environment (a third-party vendor).
- **Details:** Attackers gained access to PowerSchool’s systems, exfiltrating data belonging to school board customers, including TDSB.
### Lateral Movement
- **Details:** Not specified in detail, but assumed to involve movement within the PowerSchool infrastructure to locate and extract relevant education records.
### Data Exfiltration/Impact
- **Details:** Sensitive data belonging to students and faculty of PowerSchool customer school boards (like TDSB) was stolen. The attackers initiated an extortion phase against affected organizations.
### Detection & Response
- **Detection:** Detection occurred when the attackers initiated extortion demands, revealing the initial data compromise.
- **Response Actions:** PowerSchool acknowledged the breach and offered two years of credit monitoring and identity protection services to all students and faculty of its SIS customers, irrespective of individual data exposure validation.
## Attack Methodology
- **Initial Access:** Via compromise of the PowerSchool environment (specific vector not detailed, likely related to external access or unpatched vulnerability).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed, but necessary to locate student/faculty data within the SIS.
- **Lateral Movement:** Not detailed within the vendor environment.
- **Collection:** Education records (student and faculty data).
- **Exfiltration:** Sensitive data stolen and used for extortion.
- **Impact:** Extortion demands levied against affected entities like TDSB.
## Impact Assessment
- **Financial:** Costs associated with providing two years of credit monitoring/identity protection services for all affected customers.
- **Data Breach:** Personal data belonging to students and faculty of PowerSchool SIS customers. Specific volume and precise nature (e.g., grades, personal identifiers) are not detailed but presumed sensitive given the context.
- **Operational:** Uncertainty and disruption for affected school boards (like TDSB) who must manage stakeholder communication and security implications.
- **Reputational:** Negative impact on PowerSchool’s reputation regarding its data security posture and vendor risk management.
## Indicators of Compromise
* **Network Indicators:** None provided (defanged).
* **File Indicators:** None provided.
* **Behavioral Indicators:** Extortion attempts following data theft.
## Response Actions
- **Containment Measures:** Not explicitly detailed (e.g., segmentation, access revocation by PowerSchool).
- **Eradication Steps:** Implied work to secure PowerSchool systems.
- **Recovery Actions:** PowerSchool provided mandated support measures: two-year credit monitoring and identity protection services to all students and faculty of its SIS customers.
## Lessons Learned
- The risk associated with supply chain compromise remains high, as a breach at a single major vendor (PowerSchool) can impact numerous downstream organizations (TDSB).
- Assurances from threat actors regarding data deletion post-extortion are inherently unreliable, requiring mitigation strategies to address potential data exposure regardless of the outcome of negotiations.
## Recommendations
- School boards utilizing PowerSchool or similar third-party EdTech vendors must rigorously vet vendor security practices and contractual obligations regarding incident response and data handling.
- Implement comprehensive identity theft and fraud monitoring services proactively for populations handling highly sensitive PII, even if the scope of compromise is uncertain.
- Review and enhance third-party risk management programs to account for significant third-party outages or breaches.