Cybersecurity breach involves 29 years of Catholic school board data

GUELPH – A recent cybersecurity breach at the Wellington Catholic District School Board (WCDSB) included personal information for students who attended board schools over the last 29 years.  

The incident involved PowerSchool’s student information system, an application used by the WCDSB and other school boards across North America to store certain student and staff information.

According to PowerSchool, the data acquired by the unauthorized user was deleted and was not posted online.

A Jan. 21 update on the board’s website stated that for all WCDSB students since September 1996, the following information was accessed: names, dates of birth, addresses, genders, Ontario education numbers, guardian contact names and phone numbers, and emergency contact names and numbers.

For some staff who have worked at the board since 2013, names, addresses and educator numbers were compromised.

For less than five staff and less than 30 students enrolled between 2000 and 2015, Social Insurance Numbers were compromised. According to the statement on the WCDSB website, board staff will notify people directly if their SIN was impacted. 

For some students enrolled between 2013 and 2025, medical information (allergies, medical conditions or injuries), doctors’ names and custody information was also compromised.

Medical information provided to the board’s support services team (including psychologists, occupational therapists, physiotherapists, audiologists, speech-language pathologists and social workers) was not impacted. 

Board officials said this incident did not result in the compromise of any of the following details: financial information, student academic grades or individual education plans. Educators’ personal phone numbers were also not compromised, the board stated.

PowerSchool became aware of the cyber incident on Dec. 28 and informed WCDSB officials on Jan. 7.

Since then, the WCDSB  has been working with PowerSchool and internal and external experts to determine the precise information that was affected, officials stated.

“Although this cyber incident did not take place in a WCDSB environment, as part of our own investigative process, we are working with industry experts and using this incident as an opportunity to review our vendor information/data retention practices and improve how we protect personal information,” board officials stated.

The board is continuing to use PowerSchool’s student information system  as well as other PowerSchool tools – and parents, students and staff cannot choose to opt out, the board said.

PowerSchool’s SchoolMessenger and SmartFind Express were not impacted.

WCDSB officials have now concluded their analysis and have reported the incident to the Office of the Information and Privacy Commissioner of Ontario (IPC), officials said, and the IPC has opened an investigation. 

While  people affected are entitled to file a complaint, the IPC has advised that it is not necessary as it is already investigating the matter, stated WCDSB officials.

When the Advertiser tried to clarify some details about the incident, a board spokesperson stated, “All information available at this time is on the website.” 

For more information about how the breach impacts the WCDSB, visit wellingtoncdsb.ca or email powerschooldata@wellingtoncdsb.ca.

For more information from PowerSchool, visit powerschool.com.