Students enrolled in York Region public schools as far back as 2005 have been impacted by the PowerSchool data breach, according to an email sent to families by the York Region District School Board on Monday.
The board said students enrolled at YRDSB schools from 2005 to 2025 were impacted.
The affected data includes the student’s preferred name, their home/mailing address, Ontario education number, school ID, birth date, grade, gender, doctor name and doctor phone number.
Staff were also impacted. Teachers, administrators, school office staff, superintendents and department staff who have access to the PowerSchool system and worked at YRDSB from 2022 to 2025, saw data affected, including their employee name, ID, board email address, title and work location.
Staff personal phone numbers or home addresses were not compromised. Staff who did not have access to the system were not impacted.
YRDSB said in its email that no financial information, social insurance numbers, medical records, student academic records, or information regarding their parent/guardian status were impacted.
“Following this incident, we are conducting a thorough review of our vendor retention practices and enhancing our protocols to ensure third-party providers meet best practices for data protection,” YRDSB added in a news release on its website. “We are committed to continuously improving our systems and processes to safeguard the privacy of our community. We have many measures in place to protect student, staff, and family data and will continue to implement industry best practices and provide extensive training for our staff.”
While the board said it was not changing vendors at this time, it said that it is adopting Microsoft Cloud Technologies "to create a modern and secure technology ecosystem for our staff, and students."
"PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online," YRDSB added in its email to parents. "YRDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future."
Privacy commissioner of Canada Philippe Dufresne said in a statement on Monday that his office is in touch with the California-based PowerSchool in the wake of the breach.
"I am concerned about the potential impact that an incident such as this one may have on the personal information of students across the country," he said.
Earlier this month, PowerSchool told school boards in Ontario and several other provinces, including Newfoundland and Labrador, Nova Scotia and Alberta, as well as schools in several U.S. states, that it had experienced a data breach between Dec. 22 and 28
PowerSchool is an application used by the YRDSB to store student demographic and class information, as well as a limited amount of school-based staff information.
“The board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident,” YRDSB added in Monday’s email to parents. “While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter.”
The Toronto District School Board also sent an email to parents Monday, in which it said that students' birthdays, addresses, health card numbers, emergency contacts and some medical information stored since September 2017 may have been included in the data breach involving the PowerSchool platform.
Some "historical student information" – including health card numbers and home addresses – dating as far back as September 1985 through to August 2017 was also compromised, the school board said.
A PowerSchool spokesperson directed a request for comment to its FAQ page on its website.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,” reads a statement on the company’s website.
“Since then, over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.”
“We take our responsibility to protect student, family, and educator data privacy extremely seriously, and we are committed to providing customers, families, and educators with resources and support as we work through this together,” the company adds.
YRDSB's FAQ page regarding the incident is online.
