A massive cyber attack has impacted more than one million New York City public school students, with hackers breaching the personal data of over 380,000 additional students. The New York City Department of Education began sending letters to notify the affected students, some of whom had graduated years before the security breach occurred. The hacked information includes students’ names, birth dates, ethnicity, academic records, and school enrollment, but does not include social security or financial information. The DOE has offered two years of free credit and identity-monitoring services to the impacted students to help protect against identity theft. The security breach occurred in late December 2021 to early January 2022 due to the DOE’s former software vendor Illuminate.
City public school students received letters providing an update on the data security breach that occurred concerning Illuminate Education two years ago. Illuminate had notified the city school system in October of additional individuals affected by the breach, leading to the identification of more than 380,000 newly affected students. The DOE cybersecurity officials stated that they have enhanced cybersecurity protocols since the incident and are holding contractors accountable for protecting students’ privacy. The affected students have until July 30, 2024, to enroll in the free credit and identity-monitoring services being offered.
In addition to the recent breach, last summer, 45,000 students, school workers, and service providers were affected by a separate hack attack, compromising Social Security numbers, birth dates, employee IDs, and OSIS numbers. The former DOE chief technology officer resigned following these incidents. The city public-school system has been taking steps to ensure the security and privacy of student information and to prevent future breaches. The One Brooklyn Health network that oversees hospitals has also been targeted in cyber attacks, highlighting the vulnerability of entities that keep sensitive records.
DOE officials emphasized that protecting students’ data is a top priority and stated that the recent information validates their decision to sever ties with Illuminate. The DOE has implemented comprehensive security compliance processes to ensure vendors comply with laws protecting student data. They have also taken steps to prevent schools from using software products involving vendors accessing student information unless they complete the compliance process. The safety and well-being of students and staff, including the safety of their data, remains a key focus for the DOE.
The ongoing cybersecurity threats faced by city public-school students and employees reflect a broader trend of security breaches targeting educational institutions and organizations that hold sensitive data. The DOE spokesperson indicated that the decision to bar Illuminate from working with any NYCPS schools was made in response to the breach and to ensure better protection of student data. The incidents highlight the need for continued vigilance and investment in cybersecurity measures to safeguard personal information and prevent future data breaches.
