This hack is going to be big.
The Toronto District School Board disclosed via a letter to parents and guardians that it has been pwned by what looks like to be a supply chain attack and the impact is huge:
What Happened?
As you may recall, on Tuesday, January 7, 2025, PowerSchool notified TDSB and other school boards in Ontario and across North America that a PowerSchool system had experienced a data breach between December 22-28, 2024. TDSB’s cybersecurity team promptly activated our response plan, taking immediate steps to ensure that our critical systems remain operational. TDSB can confirm that our environment is secure, and that there is no ongoing unauthorized access to any data, either stored in PowerSchool’s Student Information System or elsewhere.
What Information Was Impacted?
While our investigation into the incident continues, we have now confirmed the types of personal information stored in PowerSchool’s Student Information System that may have been accessed and acquired by an unauthorized user. The information includes the following:
Students between September 1, 2017 and December 28, 2024
- First, Middle & Last Names
- Date of Birth
- Gender
- Health Card Number
- Grade Level and School Information
- Start/End Date as a Student
- Ontario Education Number
- EQAO Accommodation Information
- Medical Information (ie. allergies, conditions, injuries)
- Home Addresses
- Home Phone Numbers
- TDSB Student Number
- TDSB Email Address
- First Nations, Métis, Inuit Information
- Residency Status
- Principal/Vice Principal Notes (including discipline notes)
With respect to medical information, if you provided information to your child’s school about your child’s allergies, medical conditions or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired. Please note that medical information provided to members of TDSB’s Professional Support Services team (e.g. Psychologists, Occupational Therapists, Physiotherapists, Audiologists, Speech-Language Pathologists, and Social Workers) was not impacted by this incident.
Students between September 3, 1985 and August 31, 2017
- First, Middle & Last Names
- Date of Birth
- Gender
- Health Card Number
- Ontario Education Number
- Home Addresses
- Home Phone Numbers
- TDSB Student Number
- TDSB Email Address
- First Nations, Métis, Inuit Information
This historical student information is kept in PowerSchool’s Student Information System in order to respond to requests for former student records. Parent/guardian/caregiver and emergency contact information (individuals connected to students who were registered from September 1, 2017 and December 28, 2024)
- First, Middle & Last Names
- Home & Mobile Phone Numbers
- Email Addresses
- Relationship to Student
- Home Addresses
Canada’s federal privacy watchdog and the Office of the Information and Privacy Commissioner of Ontario are both investigating the breach. But it goes without saying that this is bad. PowerSchool, the company who got pwned has a statement of their own where they will be offering free credit monitoring for those affected. Which is typical for situations like this. But doesn’t really give me the warm fuzzies. I say that because my wife and I went to TDSB schools and are in the second group of people who are affected by this. So this clearly concerns us. The types of information could be used to launch attacks against individuals, or be used to commit fraud. Thus anyone who is affected by this could be feeling the repercussions for years to come.
Like this:
Like Loading...
Related
This entry was posted on January 21, 2025 at 8:26 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Toronto District School Board Data Has Been Leaked Via A Supply Chain Attack
This hack is going to be big.
The Toronto District School Board disclosed via a letter to parents and guardians that it has been pwned by what looks like to be a supply chain attack and the impact is huge:
What Happened?
As you may recall, on Tuesday, January 7, 2025, PowerSchool notified TDSB and other school boards in Ontario and across North America that a PowerSchool system had experienced a data breach between December 22-28, 2024. TDSB’s cybersecurity team promptly activated our response plan, taking immediate steps to ensure that our critical systems remain operational. TDSB can confirm that our environment is secure, and that there is no ongoing unauthorized access to any data, either stored in PowerSchool’s Student Information System or elsewhere.
What Information Was Impacted?
While our investigation into the incident continues, we have now confirmed the types of personal information stored in PowerSchool’s Student Information System that may have been accessed and acquired by an unauthorized user. The information includes the following:
Students between September 1, 2017 and December 28, 2024
With respect to medical information, if you provided information to your child’s school about your child’s allergies, medical conditions or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired. Please note that medical information provided to members of TDSB’s Professional Support Services team (e.g. Psychologists, Occupational Therapists, Physiotherapists, Audiologists, Speech-Language Pathologists, and Social Workers) was not impacted by this incident.
Students between September 3, 1985 and August 31, 2017
This historical student information is kept in PowerSchool’s Student Information System in order to respond to requests for former student records. Parent/guardian/caregiver and emergency contact information (individuals connected to students who were registered from September 1, 2017 and December 28, 2024)
Canada’s federal privacy watchdog and the Office of the Information and Privacy Commissioner of Ontario are both investigating the breach. But it goes without saying that this is bad. PowerSchool, the company who got pwned has a statement of their own where they will be offering free credit monitoring for those affected. Which is typical for situations like this. But doesn’t really give me the warm fuzzies. I say that because my wife and I went to TDSB schools and are in the second group of people who are affected by this. So this clearly concerns us. The types of information could be used to launch attacks against individuals, or be used to commit fraud. Thus anyone who is affected by this could be feeling the repercussions for years to come.
Share this:
Like this:
Related
This entry was posted on January 21, 2025 at 8:26 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.