A handful of New York City public schools were impacted by what appears to be the biggest-ever breach of American children’s personal information, education officials confirmed.
Last month, the education technology company PowerSchool announced that hackers had accessed its student information systems, including names, birthdays, addresses and Social Security numbers. So far, at least four local schools — with a combined enrollment of 3,000 students — have been identified as being ensnared in the cyberattack.
PowerSchool is not required by the local Department of Education, but some principals have purchased the software to keep track of their students. Because student information systems are decentralized, parents may still be in the dark as to whether their children’s information was breached, advocates warned.
A public schools spokeswoman said they have reached out to the “small number of schools” that PowerSchool revealed were among the institutions hacked nationwide.
“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for New York City Public Schools,” Jenna Lyle, the spokeswoman, said in a statement.
“We are working diligently to obtain information from PowerSchool that would identify the specific students and data that was affected by this incident. Once we have that information, any student whose data is found to have been affected will receive direct notice from NYCPS detailing how they were impacted and instructions on how to enroll in identity-monitoring services, free of cost.”
The New York City schools confirmed to have been affected are Fordham High School for the Arts, Long Island City High School, Lower East Side Preparatory High School, and Westchester Square Academy, according to an email from the New York State Education Department obtained by the Daily News.
Neither Lyle nor PowerSchool shared how many local schools they were aware of that were impacted by the breach. Advocates lamented that DOE and the tech company were not more forthcoming.
“It’s irresponsible for the DOE not to publicize this as widely as possible,” said Leonie Haimson, co-chairperson of the Parent Coalition for Student Privacy, an advocacy group. “People ought to be taking advantage of this offer [of identity-monitoring services] as quickly as possible. Because the longer they wait, the more likely this data will be misused.”
Haimson noted there are few ways for alumni, for example, if impacted, to learn about the breach unless news outlets and the public at large are alerted. She added that before PowerSchool went public about the incident, she already had concerns about the company, 17 different programs of whose — with “extremely sensitive” student data — are listed on the DOE website.
“I noticed in [a] privacy addendum this line in there that ‘We will abide by all federal, state and local privacy laws, but only if they’re commercially reasonable’ — which seems to me a real red flag,” Haimson said.
PowerSchool, which first became aware of the breach on Dec. 28 through one of its customer support portals, insisted it acted quickly to protect students.
“As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse,” read a statement.
The PowerSchool data breach is the latest in a string of cybersecurity incidents to impact the New York City Public Schools, which is convening a 16-member student data privacy “working group” to study the issue, which Haimson will sit on.
In 2023, the personal data of about 45,000 local students were compromised in a global cyberattack on a popular file-transfer software, MOVEit. The year before, 820,000 current and former students were impacted by a hack of an online grading and attendance system from Illuminate Education.