Ransom Paid, Trust Broken: The PowerSchool Breach Is a Wake-Up Call for Our Schools

By now, it’s become a sad refrain in the world of cybersecurity: a major data breach occurs, a ransom is paid, and the stolen data still resurfaces, leaving institutions and individuals more vulnerable than ever. This time, it’s Canada’s largest school board—the Toronto District School Board (TDSB)—caught in the crossfire, and the consequences are deeply unsettling.

In December 2024, a breach of PowerSchool, a widely used student information system, exposed a staggering amount of sensitive data. While PowerSchool chose to pay the ransom in a desperate bid to prevent the leak, that gamble has failed. Now, several school boards, including the TDSB, are being re-extorted by the same threat actors who clearly never intended to delete the stolen information.

The fallout is severe. For students and families, this isn’t just about birthdays and addresses. In TDSB’s case, health card numbers, emergency contacts, and even some medical information dating back to 2017 are now at risk. Other provinces, like Nova Scotia, have reported that social insurance numbers from staff were compromised—information that could be weaponized for identity theft or fraud.

What’s especially galling is that this breach stems not from the schools themselves, but from a U.S.-based tech vendor entrusted with the data of thousands of Canadian children and educators. It raises a crucial question: how much do school boards really know—or control—about the security protocols of the third-party platforms they rely on?

PowerSchool’s admission that it paid a ransom, despite knowing the risks of such a move, reveals a painful reality. Even well-intentioned responses can fail when dealing with bad actors who operate outside any code of ethics. Paying ransom may sometimes buy time—but it never guarantees resolution.

As PowerSchool and school boards scramble to contain the damage, offering credit monitoring and identity protection services, it feels like too little, too late. These reactive measures do not undo the violation of trust. Nor do they prevent future breaches, especially if systemic cybersecurity standards and accountability aren’t urgently improved across the education sector.

This breach is a clarion call. School boards must demand transparency and stronger guarantees from software vendors. Governments need to enforce stricter data protection regulations, particularly when it comes to cloud-based platforms that hold sensitive information on children. And we, as parents and caregivers, should be asking hard questions about who is safeguarding our children’s digital footprints—and how.

Until then, we’re left with yet another reminder that in the digital age, trust is fragile—and once broken, difficult to restore.