In a letter released on May 7, the Peel District School Board informed parents of a “recent development” with the cyber security incident first reported in early January of this year and covered by MPulse in our March issue.
The school board wrote that an “unauthorized user attempted to contact multiple school districts, including PDSB, demanding a ransom using data from the previously reported December 2024 breach.”
The letter also says: “We recognize that this news may cause concern. We continue to monitor this situation closely and will keep our PDSB community informed of any new developments.”
What the letter doesn’t explicitly say is that the data that was stolen in December 2024 and reported to parents as “deleted” on January 6, wasn’t actually deleted. Although Power School paid a ransom, the criminals responsible did not actually delete the data from all schools and are now going after individual school boards and as reported in the United States, individual teachers and school employees, with further ransom demands.
Some of this new information comes from the update sent to parents from the Toronto District School Board.
In a letter also released on May, Clayton La Touche, the TDSB’s new Director of Education wrote, “PowerSchool has now confirmed that they have paid a ransom in an attempt to secure deletion of the impacted data. As with any such incident, there was a risk that the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool… Earlier this week the TDSB was made aware that the data was not destroyed…We appreciate that this news may be unsettling and understand the concern this may cause.”
In its letter to parents on May 8, the Peel-Dufferin Catholic District School Board states explicitly that it did not receive a specific ransom demand, but was made aware that other school boards have and that PowerSchool did pay a ransom.
MPulse reached out to the Peel board to ask about the differences between their letter and the Toronto Board’s letter and to clarify whether the PDSB received a specific ransom demand.
The PDSB spokesperson responded to say “Peel District School Board can confirm there was an attempted contact by the threat actor.” The spokesperson, however, did not respond to questions about why they did not directly inform parents that the data was not deleted, nor whether they would update their website to say that the data had not been deleted.
MPulse also asked the board whether any students, parents, or staff had received individual ransom demands and whether the board has plans in place should that happen. The spokesperson responded to say there is “no information to suggest a student or parent had received any communication from the threat actor.” However, they did say, “If this situation were to occur, the Peel District School Board has resources that would be utilized to assist in this situation.”
In the meantime, the Peel board encourages students to make use of Power School’s offer of two years of identity protection and credit monitoring services. According to the PDSB website, the deadline to enroll in the Experian IdentityWorks service is May 30.
The RCMP and FBI strongly advise against paying a ransom demand as it does not ensure stolen data will be returned and only encourages more cyber crime.
