On January 7, PowerSchool, York Region District School Board’s student information system provider, informed YRDSB and other school boards throughout the province that it had experienced a cyber incident, affecting our board. Since then, we have been working with PowerSchool and in-house and external experts to determine the precise information that was affected.
This incident has affected current and former students and staff. Please note that we will also be posting this notice on our website to notify YRDSB’s former students and staff who may be affected.
PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. YRDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future.
What Information Was Affected
We have worked with PowerSchool to determine that the following information was affected:
- For students enrolled at YRDSB from 2005 to 2025, student preferred name, home/mailing address, Ontario Education Number, school ID, birth date, grade, gender, doctor name and doctor phone number.
- For teachers , administrators, school office staff, superintendents and department staff who have access to the PowerSchool system who worked at YRDSB from 2022-2025, affected data includes employee name, ID, Board email address, title and work location. Staff personal phone numbers or home addresses were not compromised.
Staff who do not have access to the PowerSchool student information system were not affected by this cyber incident.
This incident did not result in the compromise of any of the following information: financial information; social insurance number; health assessment information; medical records; student academic records; student academic grades; Individual Education Plan information; Parent/Guardian status; or accommodations.
The Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.
Where Can I Find the Latest Information?
We will continue to provide additional updates as we receive them. FAQs can be found on the YRDSB website, and we will continue to update the FAQs with any new or relevant information. You can view an FAQ from PowerSchool on their website.
We also recognize that you may have questions about what has occurred. Should you have any questions, please contact cybersecurity@yrdsb.ca.
We appreciate your patience and understanding, and sincerely regret any concern this has caused you.
Frequently Asked Questions
What happened?
On December 28, 2024, PowerSchool, a third-party service provider used by York Region District School Board (YRDSB), became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.
On January 7, 2025, PowerSchool notified YRDSB of the incident and that personal information of our students and educators may have been affected.
What is PowerSchool?
PowerSchool is a software company utilized by many school boards internationally to store a range of student information and a limited amount of school-based staff information.
Who was affected?
Many public boards and private schools across North America who use PowerSchool SIS were affected by this incident.
What data was accessed?
We have worked with PowerSchool to determine that the following information was affected:
- For students enrolled at YRDSB from 2005 to 2025, student preferred name, home/mailing address, Ontario Education Number, school ID, birth date, grade, gender, doctor name and doctor phone number.
- For teachers , administrators, school office staff, superintendents and department staff who have access to the PowerSchool system who worked at YRDSB from 2022-2025, affected data includes employee name, ID, Board email address, title and work location. Staff personal phone numbers or home addresses were not compromised.
Staff who do not have access to the PowerSchool student information system were not affected by this cyber incident.
This incident did not result in the compromise of any of the following information: financial information; Social Insurance Number; health assessment information; medical records; student academic records; student academic grades; Individual Education Plan information; Parent/Guardian status; or accommodations.
What steps are you taking to prevent this from happening again?
Following this incident, we are conducting a thorough review of our vendor retention practices and enhancing our protocols to ensure third-party providers meet best practices for data protection. We are committed to continuously improving our systems and processes to safeguard the privacy of our community. We have many measures in place to protect student, staff, and family data and will continue to implement industry best practices and provide extensive training for our staff. As part of our commitment to digital transformation, YRDSB is also adopting Microsoft Cloud Technologies to create a modern and secure technology ecosystem for our staff, and students.
Where can I learn more about the incident?
You may view the Board’s FAQs about this incident.
PowerSchool has also posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward.
Did the Board notify the Office of the Information and Privacy Commissioner?
Yes, the Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter.
Was any credit card or banking information involved in this incident?
No. Both PowerSchool and the Board’s own internal investigation can confirm that there is no evidence of any credit card or banking information being compromised.
Is there any indication that compromised information has been released?
There is no evidence of the compromised information having been released at this time.
Why were you keeping my student data if I was no longer enrolled in the board?
We keep information about former students in accordance with provincial requirements under the Education Act and to respond to former student information requests. We are taking this opportunity to assess our records retention practices to ensure that we are only keeping what is necessary to conduct the Board’s business.
I attended the YRDSB many years ago. Was my information affected?
Our PowerSchool SIS stores data for students who attended a YRDSB school from 2005-2025. If you were a YRDSB student prior to this, your information was not part of this incident.
Is credit monitoring being provided?
Credit monitoring services are usually offered when affected information creates a risk of credit fraud (for example, SINs, bank account or credit card numbers, etc.). No such information was affected in this case.
Can I opt-out of PowerSchool?
Not at this time. YRDSB reviews the information practices of all of its vendors on a cyclical basis and will continue with this practice.
Is the Board changing vendors?
Not at this time.
Were all PowerSchool products affected?
No. Only PowerSchool SIS was affected by this incident. Other PowerSchool tools were not affected.
I have additional questions not addressed by these FAQs.
A dedicated email address has been created where individuals can send any additional questions they may have. Please send any additional questions to cybersecurity@yrdsb.ca.