The unfortunate revelation that the Toronto District School Board (TDSB) and at least three other Canadian school boards are facing renewed extortion demands - months after paying a ransom to hackers - should serve as a wake-up call for every organisation that handles sensitive data. The incident, which stems from the December 2024 PowerSchool breach, demonstrates the profound risks of relying on the word of cybercriminals, and underscores why robust, regularly tested business continuity plans (BCPs) are non-negotiable in today’s threat landscape.
They say lightning never strikes the same place twice, but as this breach shows, sometimes it does - and the consequences can be even more severe the second time around.
In December 2024, PowerSchool, an education technology provider used by over 6,500 school districts across North America, suffered a major ransomware attack. Sensitive data dating back to 1985 for approximately 235,000 TDSB students-including names, medical information, special education accommodations, and disciplinary notes-was stolen. In an attempt to prevent public release, PowerSchool paid the demanded ransom and received a video as “proof” that the data had been deleted.
But this week, TDSB informed parents and staff that the hackers have returned with new extortion demands, using the same stolen data as leverage. At least four school boards have received similar threats, shattering any illusion that the ransom payment resolved the crisis.
This incident highlights the futility of trusting cybercriminals to honour their promises, even when they provide supposed evidence of compliance. The hackers’ reappearance proves that assurances of data deletion are meaningless, and that paying a ransom often leads to continued victimisation.
The breach exposed decades of highly sensitive information about minors, creating enduring privacy and security risks for students and their families. The potential for identity theft, targeted scams, or other forms of exploitation is enormous and long-lasting.
The TDSB is still reeling from a separate LockBit ransomware attack just months earlier, illustrating how repeated incidents can overwhelm even large, well-resourced organisations.
These events are a stark reminder that a business continuity plan is only as good as its last test. A BCP must not only exist on paper but be regularly exercised and updated to reflect evolving threats and real-world scenarios.
Here’s why:
Regular BCP testing-such as tabletop exercises, simulation drills, and full-scale recovery tests - ensures that organisations are prepared for incidents where ransom payments fail to resolve the threat, or where sensitive data remains at risk even after “resolution”.
Testing exposes weaknesses in incident response, communication protocols, data backup strategies, and stakeholder notification processes. For example, would your organisation know how to respond if hackers re-initiated extortion attempts months after an initial breach?
When staff and leadership practise their roles during simulated crises, they respond more confidently and efficiently during real incidents, minimising damage and downtime.
Demonstrating a proactive approach to business continuity and data protection can mitigate regulatory penalties and help maintain trust with stakeholders-even in the wake of a breach.
Organisations should partner with experts to develop and regularly test their business continuity plans. Services like those outlined in Insicon’s guide to business continuity plan testing include:
To further strengthen your organisation’s cyber resilience and ensure you’re prepared for incidents like this breach, consider leveraging Insicon’s Managed Security Services.
By partnering with Insicon, organisations gain access to a full suite of expert-led cybersecurity solutions - including Managed Compliance, Essential Eight implementation, and advanced threat protection - all delivered through a cost-effective subscription model. This approach allows organisations to benefit from the deep expertise of ISO 27001-certified professionals without the high costs and complexities of building an in-house security team, ensuring continuous monitoring, rapid response to emerging threats, and ongoing compliance with regulatory standards.
With tailored solutions, ongoing support, and a focus on continuous improvement, Insicon’s managed security services help you reduce operational burden, improve your security posture, and free up your internal teams to focus on core business priorities.
The TDSB incident is a sobering lesson: paying a ransom does not guarantee safety, nor does it erase the risk of future attacks. The only reliable defence is a well-practised, regularly updated business continuity plan that prepares your organisation for the unpredictable-and ensures you can respond swiftly and effectively, no matter what comes next.
Don’t wait for a crisis to test your plan. Make business continuity testing a core part of your organisational culture - because the next breach may already be in motion.