Data from public school students dating as far back as 1985 appears to have been breached during a cybersecurity incident impacting schools in Toronto, Ontario and across parts of North America.
Software made by the company PowerSchool, which stores data for boards across the continent, was subject to a high-profile breach at the end of last year. The company originally said that some “personally identifiable information” had been accessed as part of the breach.
School boards in Ontario, Alberta, Newfoundland and Labrador and Nova Scotia all use the software and have been working to understand the extent of the cyber security incident.
The Toronto District School Board said some data for students attending between 1985 and 2017 — including health card number, home address and phone number — may have been included in the breach. Medical information, principal notes and dates of birth for students between 2017 and December 2024, may also be part of the breach.
Separately, in York Region, the school board said information for staff and students dating back to 2005 had been involved. In total, Ontario’s privacy commissioner told Global News that 19 boards across the province had been part of the breach.
Boards in other provinces were also impacted.
According to information provided by PowerSchool, the data breach involved unauthorized access to certain PowerSchool Student Information System data through PowerServe, one of its community-focused customer portals.
The company said it communicated with its customers on Jan. 7, adding those that don’t use PowerSchool SIS were not impacted.
In response to the breach, the Privacy Commissioner of Canada’s office said it was worried about the cyber incident.
“I am concerned about the potential impact that an incident such as this one may have on the personal information of students across the country,” a statement read.
“Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children’s personal information.”
The data breach itself took place over Christmas, between Dec. 22 and Dec. 28.
— with files from Global News’ Sean Previl.