UPDATE: PowerSchool Security Breach & FAQ's

We are writing to provide an update on the cyber incident involving PowerSchool’s Student Information System – the application used by Durham District School Board (DDSB) and many school boards across North America to store certain student and staff information.

This incident has affected current and former students and staff. 

What Happened

On January 7th, PowerSchool informed DDSB and other school boards, both nationally and internationally,  that it had experienced a cyber incident, and that this incident affected DDSB. Since then, we have been working with PowerSchool and internal and external experts to determine the precise information that was affected.

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. Nevertheless, DDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future.

What Information Was Affected

We have worked with PowerSchool to determine that the following information was affected:

For students enrolled at DDSB from 2006 to 2025, student name, address, home phone number, date of birth, gender, grade, parent/guardian name, and Ontario Education Number were part of the data affected. For most students, the data also included their doctor’s name, doctor’s phone number, emergency contact name and contact information, and school transfer information.

For a small minority of students, guardian email address, custodial arrangements, some medical alert information, and a yes or no indicator if a student has an individual education plan (IEP), were also impacted.

For a very limited number of students enrolled from 1997 to 2005, similar information was affected.

With respect to medical alert information, if you provided information to your child’s school about your child’s allergies, medical conditions or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired. Please note that medical information provided to or by members of DDSB’s Inclusive Student Services/Special Education team (e.g. Psychological Services, Audiologist, Speech-Language Pathologists, and Social Workers), such as information related to Individual Placement Review Committee decisions (IPRCs) and Individual Education Plans (IEPs) – this information was stored in a separate database and not impacted by this incident.

For teachers, administrators, school office staff, superintendents and department staff who worked at DDSB from 2013-2025 and who have access to the PowerSchool student information system, affected data includes employee name, DDSB username and employee number, Board email address, and job title. For a small number of staff, home address and home phone number were also impacted.

Staff who do not have access to the PowerSchool student information system?were not affected by this cyber incident.

To be clear, DDSB does not store any Social Insurance Numbers, financial, or banking information in the PowerSchool Student Information System, so that information was not affected in any way.

The Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.

Where Can I Find the Latest Information?

We will continue to provide additional updates as we receive them. Frequently Asked Questions (FAQ) can be found below, and we will continue to update the FAQs with any new or relevant information. You can also view FAQ's from PowerSchool on their website.

We also recognize that you may have questions about what has occurred. Should you have any questions, please contact powerschoolincident@ddsb.ca.

We appreciate your patience and understanding, and sincerely regret any concern this has caused you.

What happened? 

On December 28, 2024, PowerSchool, a third-party service provider used by the Durham District School Board (DDSB), became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.

On January 7, 2025, PowerSchool notified DDSB of the incident and that personal information of our students and educators may have been impacted. 

What is PowerSchool?  

PowerSchool is a software company utilized by many school boards internationally to store a range of student information and a limited amount of school-based staff information.

Who was affected?

Many public boards and private schools across North America who use PowerSchool SIS were affected by this incident.

What data was accessed?

We have worked with PowerSchool to determine that the following information was affected:

For students enrolled at DDSB from 2006 to 2025, student name, address, home phone number, date of birth, gender, grade, parent/guardian name, and Ontario Education Number were part of the data affected.

For most students, the data also included their doctor’s name, doctor’s phone number, emergency contact name and contact information, and school transfer information.

For a small minority of students, guardian email address, custodial arrangements, some medical alert information, and a yes or no indicator if a student has an individual education plan (IEP), were also impacted.

For a very limited number of students enrolled from 1997 to 2005, similar information was affected. 

For a small number of teachers, administrators, school office staff, superintendents and department staff who worked at DDSB from 2013-2025 and who have access to the PowerSchool SIS system:

• Home address
• Home phone number

Please note that sensitive educator information, like financial information, was not compromised.

Other staff  

Staff who do not have access to the PowerSchool student information system?were not affected by this cyber incident. ? 

What steps are you taking to prevent this from happening again?

Following this incident, we are conducting a thorough review of our vendor retention practices and enhancing our protocols to ensure third-party providers meet best practices for data protection. We are committed to continuously improving our systems and processes to safeguard the privacy of our community. We have many measures in place to protect student, staff, and family data and will?continue to implement industry best-practices and provide extensive training for our staff. As part of our commitment to digital transformation, DDSB is also adopting Microsoft Cloud Technologies to create a modern and secure technology ecosystem for our staff, and students.

Where can I learn more about the incident?

PowerSchool has posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward. 

Did the Board notify the Office of the Information and Privacy Commissioner?

Yes, the Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter.

Was any credit card or banking information involved in this incident?

No. Both PowerSchool and the Board’s own internal investigation can confirm that there is no evidence of any credit card or banking information being compromised. 

Is there any indication that compromised information has been released?

There is no evidence of the compromised information having been released at this time.

Why were you keeping my student data if I was no longer enrolled in the board?

We keep information about former students in accordance with provincial requirements under the Education Act and to respond to former student information requests. We are taking this opportunity to assess our records retention practices to ensure that we are only keeping what is necessary to conduct the Board’s business.

I attended the DDSB many years ago. Was my information impacted?

Our PowerSchool SIS stores data for students who attended a DDSB school from 2006-2025, with very limited students impacted attending DDSB schools between 1997-2005. If you were a DDSB student prior to this, your information was not impacted as part of this incident. 

Is credit monitoring being provided?

Credit monitoring services are usually offered when impacted information creates a risk of credit fraud (for example, SINs, bank account or credit card numbers, etc.). No such information was impacted in this case.

Can I opt-out of PowerSchool?

Not at this time. DDSB is using this incident to review the information practices of all of its vendors.

Is the Board changing vendors?

Not at this time.

Were all PowerSchool products impacted?

No. Only PowerSchool SIS was impacted by this incident. Other PowerSchool tools were not impacted. 

I have additional questions not addressed by these FAQs.

A dedicated email address has been created where individuals can send any additional questions they may have. Please send any additional questions to powerschoolincident@ddsb.ca  

_________________________________