A recent cyberattack targeting the Peel District School Board (PDSB) has exposed sensitive student and staff data, including names, addresses, birth dates, and other critical information. The breach, which occurred between December 22 and December 28, 2024, affected schools in Mississauga, Brampton, and Caledon, as well as other districts across Ontario.
The attack involved a vulnerability in software provided by PowerSchool, a widely used third-party application for managing school data. Information potentially accessed includes:
- Students: Names, home addresses, phone numbers, dates of birth, gender, Peel student numbers, grade levels, Ontario Education Numbers (OEN), school enrollment dates, medical alerts (e.g., allergies), and family alerts (e.g., authorized pickup individuals, emergency contacts).
- Staff: Names, email addresses, employee numbers, and work locations.
The breach also extended to archived student records dating back to 1965.
The PDSB confirmed the breach in a bulletin to families, noting that while the investigation continues, PowerSchool has reported that the stolen data was deleted and has not been posted online. The board’s cybersecurity team promptly activated its response plan, securing systems and collaborating with PowerSchool to prevent further access.
“Our cybersecurity team has ensured that critical systems remained operational and that the data stored in PowerSchool’s SIS (student information system) is now secure,” the bulletin stated.
The breach is not isolated to Peel schools. Other affected districts include the Dufferin-Peel Catholic District School Board, Toronto District School Board, and Durham District School Board, although the types of compromised data vary. The Dufferin-Peel Catholic board has not yet disclosed specific details about the affected information.
The PDSB and other boards are continuing to investigate the breach and are implementing measures to strengthen cybersecurity. Families and staff are encouraged to monitor for suspicious activity and remain vigilant about potential risks to their personal information.
This incident highlights the growing need for robust cybersecurity measures to protect sensitive data in education systems.