A data breach of the widely used educational software company PowerSchool potentially exposed special education and disciplinary records for millions of students attending Toronto public schools going back to 2017, the school district informed parents on Monday.
More limited data belonging to students enrolled in the Toronto system from 1985 until 2017 also may have leaked in the hack, and the hacker may have accessed personally identifiable information belonging to students’ emergency contacts, according to a letter from Toronto District School Board (TDSB) interim education director Stacey Zucker.
PowerSchool published a list of the types of potentially exposed information, but did not include some sensitive data that the Toronto school district claims may have been accessed, including disciplinary and special needs records, such as accommodations for extra time on standardized tests. The company has said it paid a ransom and believes the hacker deleted the stolen data.
PowerSchool learned the hacker accessed its customer portal known as PowerSource on December 28, but the Toronto school district was not made aware of the breach until January 7, the letter said.
The education technology giant’s cloud-based software is used by thousands of school districts for finance, enrollment management, records storage and more. It holds data belonging to about 60 million students and teachers worldwide.
A PowerSchool spokesperson issued a statement on January 8 saying the company has “taken all appropriate steps to prevent the data involved from further unauthorized access or misuse.”
“The incident is contained and we do not anticipate the data being shared or made public,” the statement said.
When asked for comment, a PowerSchool spokesperson provided a link to a company web page explaining the breach.
The leaked data for students enrolled in the system since 2017 may include names; dates of birth; health card numbers; special education accommodations; disciplinary records; medical information; home addresses and phone numbers; residency status; and grade level and school information, the letter said.
All principal and vice principal “notes” may have also been exposed, the letter said.
The hacked medical information may include anything parents disclosed to their school when enrolling their child.
The exposed data belonging to students attending Toronto schools as early as 1985 may include names; dates of birth; health card numbers; home addresses and phone numbers; and email addresses.
While Social Security numbers for children attending schools in some of the districts involved in the breach were exposed, Toronto schools do not store that data.
“TDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future,” Zucker’s letter said.
Canada’s privacy commissioner has said he is “concerned” and is in touch with PowerSchool.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
