The Toronto District School Board (TDSB), Canada’s largest educational system, is once again in the crosshairs of cybercriminals. This time, the threat stems not from a new breach, but from a recycled trove of data stolen during a ransomware attack in December 2023.
At that time, the TDSB paid a ransom under pressure, receiving a video from attackers that allegedly showed the data being deleted. In May 2025, a new extortion attempt emerged using that same dataset.
While it remains unconfirmed whether the new threat originates from the same actors as the original breach, the implications are clear: the stolen data was never truly eliminated. The incident calls into question not just the effectiveness of ransom payments, but the broader security strategies of organizations under siege.
Why It Matters: For CIOs, CISOs, and IT executives the incident is a sobering reminder that ransom payments do not equate to risk resolution. In fact, they can prolong exposure and embolden future threats. This case demonstrates how trust-based negotiations with criminal actors often lack enforceability and transparency. Even after payment and supposed data deletion, CIOs may find themselves facing repeated threats from different adversaries leveraging the same breach footprint. The TDSB situation underscores the urgent need for investment in long-term incident response strategies, zero-trust security architectures, and public-sector cyber resilience, as well as a clear-eyed evaluation of whether ransom payments offer any real protection in the long run.
- TDSB’s 2023 Ransom Payment Was Meant to Prevent Data Exposure, But Failed to Do So: In December 2023, the TDSB suffered a ransomware attack that led to the theft of sensitive data. Facing the threat of public release, the board opted to pay the ransom. In response, the attackers supplied a video that purported to show the deletion of the stolen data. This was seen at the time as a potential closure, but the reappearance of that same data in a new threat shows the promise was either deceitful or meaningless.
- 2025 Extortion Attempt Proves Stolen Data Can Have a Long Life: The extortion note sent in May 2025 referenced the exact same dataset stolen in 2023. The actor behind this new attempt is currently unknown, but the use of the same files suggests either that the original attacker retained copies or the data has since changed hands. This challenges the widely held belief that paying a ransom will eliminate ongoing risk.
- No Guarantee That Data Deletion Was Genuine Or Even Technically Verifiable: The original attackers provided a deletion video, a common tactic among ransomware groups trying to demonstrate trustworthiness. But as this case proves, even video “evidence” is not verifiable. CIOs must now operate on the assumption that once data is stolen, it is irretrievably out of the organization’s control, regardless of payment.
- Ongoing Vulnerability Despite Prior Compliance Shows the Limits of Transactional Security: TDSB’s experience highlights that paying attackers often does little more than signal organizational willingness to comply, possibly making institutions a target for follow-up threats. In this case, the attacker (or another actor) returned with a second ransom demand, revealing the structural weakness of relying on a single “transaction” to address systemic data compromise.
- CIOs Must Balance Ethical, Legal, and Strategic Pressures When Attacked: This incident forces difficult conversations for technology leaders in government and education. The decision to pay can seem pragmatic in the short term, especially when students or critical services are at risk but it introduces lasting reputational, operational, and strategic vulnerabilities. A strong, principled incident response strategy, backed by executive leadership, is essential to protect institutions over the long term.
