The Upper Canada District School Board (UCDSB) has confirmed that a recent cyberattack compromised the personal information of members of its community, including staff, students, and donors.
The breach, first disclosed on January 6, 2025, impacts current and former staff members, students and their parents or guardians, as well as donors and other payors to the Board office. According to the UCDSB, most affected individuals have already been notified, but the investigation remains ongoing to determine if further notifications are necessary. The process may take some time as the stolen data is
thoroughly analyzed.
The personal information of employees who worked for the Board between 1999 and 2024 includes social insurance numbers, bank account details, dates of birth, gender, contact information, employee IDs, compensation and benefits information, employment history, Ontario Ministry Educator Numbers
(for teachers), and background check details. For current and former students from 2010 to the present, sensitive information such as dates of birth, gender, addresses, academic records, Ontario Education Numbers (OEN), and parent or guardian identity details was exposed.
Students with exceptionalities from 2010 onward had additional sensitive data compromised, including medical diagnoses, assessments, accommodations, and behavioural records. The breach also affected bursary recipients from 2001 onward, exposing their social insurance numbers and home addresses. Parents and guardians had their contact details, including phone numbers, email addresses, and places of employment, accessed.
Despite the severity of the breach, the UCDSB believes the risk of the stolen data being published or misused is low. To mitigate potential risks, the Board is offering complimentary credit monitoring to eligible individuals, such as former employees and bursary recipients, and is strongly encouraging those affected to enroll. Credit monitoring provides an effective safeguard against identity theft.
Detailed information about the breach, including how specific groups were affected and instructions for accessing credit monitoring services, is available on the UCDSB website. The website also includes a comprehensive FAQ section to address community concerns.
In a statement, the UCDSB apologized for the incident and acknowledged its significant impact on the community. “We are aware that this incident has affected our community in a direct way, and again, we are sorry for this,” the Board’s update read. “Know that we are also committed to strengthening our cybersecurity program to better protect against future incidents.”
The breach has been reported to the Brockville Police Service and the Information and Privacy Commissioner of Ontario (IPC). While individuals are not required to report the incident to the IPC, they have the right to do so if they choose. The UCDSB has pledged to continue providing updates as new information emerges and as the investigation progresses.