Canada’s largest school board has revealed that student records dating back to 1985 may have been accessed by miscreants who compromised software provider PowerSchool.

The Toronto District School Board, or TDSB, which serves about 240,000 students across 588 schools in the Toronto area, confirmed Monday that whoever broke into PowerSchool’s database would have been able to get their hands on kids’ sensitive personal info.

PowerSchool runs a cloud-based student information management system for 18,000-plus education customers that holds records on at least 60 million students worldwide, primarily in North America.

It revealed earlier this month that crooks gained unauthorized access to its database tables of children and educators in December, saying that a limited “subset” of customers were affected.

The California-based developer seems to think any data taken by the thieves has been deleted and was not shared with others, which suggests to us that the biz has either heard directly or indirectly from the fiends. PowerSchool earlier said it did not suffer a ransomware infection; just a straight-up network intrusion.

“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” the software maker told customers this month.

Whoever broke in would have been able to access data includes names, genders, home addresses, phone numbers, dates of birth, and health card numbers. Additionally, for students enrolled since September 1, 2017, the security breach may have exposed some medical details as well as parent, guardian, or caregiver contact information.

“With respect to medical information, if you provided information to your child’s school about your child’s allergies, medical conditions, or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired,” wrote Stacey Zucker, interim director of education for the TDSB in a letter this week to the parents.

“PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online,” Zucker added.

Canada’s not alone in dealing with the fallout of the PowerSchool security breach. Reports indicate that schools in more than 40 US states have also been affected in one way or annother. So far Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Georgia, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Wisconsin, and Wyoming. The British Overseas Territory of Bermuda has also reported problems.

PowerSchool is also facing a flurry of lawsuits, with more than 20 currently filed against the biz from what we can observe from the US court system alone.

Though the software provider stated the exfiltrated data has now been deleted, we’ll have to see if the criminals will keep their word on that front. The Register is keeping an eye on the usual ransomware dark web sites and nothing from PowerSchool has been posted yet. ®