IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York City Schools Had Warnings Before Cyber Attack

Before a global cyber attack compromised data from New York schools in May, an audit by the state comptroller and a special commissioner of investigation had criticized the district for insufficient oversight.

(TNS) — Just weeks before hackers breached tens of thousands of NYC children’s personal information in a global cyber attack, the New York State Comptroller warned education officials to get serious about protecting student data.

A comptroller audit released in May found local school districts had not received “sufficient oversight” as cybersecurity incidents in schools across the state — whether through human error, data breaches or ransomware attacks — have more than tripled over the last few years.

“The State Education Department and school districts had a responsibility to strengthen and protect student data and systems well before the pandemic,” said Deputy Comptroller Tina Kim, who oversees state government accountability.

“But remote learning increased reliance on IT services, apps and third-party programs,” she added, “and it’s clear schools were not prepared for the heightened cyber risks.”

The probe, which ran from March 2020 to November 2022, reviewed 131 data incidents reported by school districts, including 15 in New York City, and found many were out of compliance with regulations.

There have been other cautions as well.

Before the state audit, the city public schools had received warnings from the oversight agency The Special Commissioner of Investigation for the New York School District. A review of its online portal showed watchdogs had recommended better safeguards of personal identifiable information five times since 2021.

“They’ve had a fairly laissez-faire attitude about this,” said Leonie Haimson, who co-chairs the Parent Coalition for Student Privacy, “and I think it hasn’t sufficiently protected student or teacher privacy, and shows a lack of real seriousness on their part.”

The state comptroller’s audit found that 80 percent in of incident reports from the city’s public schools lacked enough detail for the comptroller to say if officials told students and teachers their data was breached within a legally required 60-day timeline.

In more than half of incidents, the city blew past a deadline to notify the state of a problem.

Statewide, the auditors found many of the reports reviewed were incomplete or missing, leaving them unable to determine if schools notified families in a timely manner or at all. The comptroller also found that 14 in a statewide sample of 169 school districts did not have mandated data protection officers to make sure policies were followed.

The city public schools went without a permanent employee in that role for the majority of last school year. After the previous chief privacy officer, Joseph Baranello, left in October for a job in the private sector, it took until April for the city to replace him with Dennis Doyle.

“It was pretty shocking for the largest school district in the country that collects a huge amount of personal data,” said Haimson of the delay.

In response to the audit, state education officials suggested local school districts are primarily responsible for protecting personal data.

“As New York is a local control state, the manner in which Districts choose to meet their unique cybersecurity obligations is entirely under their discretion,” said JP O’Hare, a spokesman for the education department. “The Department provides technical guidance, support, and resources for Districts to meet these obligations.”

Local education officials announced last month that the sensitive data of about 45,000 local public school students — as well as information about staff and school service providers — were compromised in a global cyber attack.

Attackers targeted a security flaw in the popular file-transfer software MOVEit, which local schools have used to share documents and data internally and with third-party vendors that include special education service providers. The breach also impacted several state and federal agencies, including the Minnesota Department of Education, and some colleges and universities.

“This really is a top priority for us, and it’s something since last year, we’ve been working to improve our own systems and processes,” said Emma Vadehra, chief operating officer of the city schools, at a public meeting last week. “We have more work to do — everyone has more work to do.”

“This was not a New York City public schools-specific breach. It hit hundreds of entities around the globe,” she added. “That doesn’t mean it’s not a top priority for us to address, but it does mean... it goes far beyond our walls.”

The cyber attack this spring was not the first time the city’s public schools were breached.

Last year, the personal data of 820,000 current and former city public school students were compromised in the hack of a widely used online grading and attendance system from the company Illuminate Education.

Hackers gained access to a database containing students’ names, birthdays, ethnicities, home languages and, in some cases, whether students get special education services and economic status information. The breach prompted a weeks-long shutdown of the systems, and at the end of the school year, the city called it quits with the company.

Another incident quietly took place in February, when a bug in a personnel application allowed vendors to see and download the personal information of about 80,000 current or former employees who provide services to students. Those impacted were not notified until last week.

The application was taken offline, and users who accessed information about other vendors’ employees confirmed to the city that all records were destroyed or deleted. Education officials committed to strengthening their testing and review process in future updates to the application.

In all three major incidents, the city offered identity and credit monitoring services to impacted students and teachers.

But advocates suggested the school system should double down on preventative measures.

“We essentially just shove our data to the vendors and trust that they’ll follow whatever contract we had them sign,” said Naveed Hasan, the representative for Manhattan families on the city’s Panel for Educational Policy with close to three decades of experience in software development.

A spokesperson for the public schools directed the Daily News to its privacy and data security policy, which requires third-party vendors to sign an agreement, complete a security assessment, and undergo a cloud review.

“They have to go back to basics and have another working group on who provides technology solutions to a system as large as the DOE, that spends hundreds of millions every month,” said Hasan, who is also a public school parent.

“There’s no way this is going to address the next problem,” he added. “It’s going to happen again.”

©2023 New York Daily News. Distributed by Tribune Content Agency, LLC.