NYC Public Schools working to identify students affected by PowerSchool data breach

A fistful of New York City nationalist schools were impacted by what appears to beryllium the biggest-ever breach of American children’s idiosyncratic information, acquisition officials confirmed.

Last month, the acquisition exertion institution PowerSchool announced that hackers had accessed its pupil accusation systems, including names, birthdays, addresses and Social Security numbers. So far, astatine slightest 4 section schools — with a combined enrollment of 3,000 students — person been identified arsenic being ensnared successful the cyberattack.

PowerSchool is not required by the section Department of Education, but immoderate principals person purchased the bundle to support way of their students. Because pupil accusation systems are decentralized, parents whitethorn inactive beryllium successful the acheronian arsenic to whether their children’s accusation was breached, advocates warned.

A nationalist schools spokeswoman said they person reached retired to the “small fig of schools” that PowerSchool notified DOE were among the institutions hacked nationwide.

“The information and information of our students and staff, including their idiosyncratic accusation and data, is of the utmost value for New York City Public Schools,” Jenna Lyle, the spokeswoman, said successful a statement.

“We are moving diligently to get accusation from PowerSchool that would place the circumstantial students and information that was affected by this incident. Once we person that information, immoderate pupil whose information is recovered to person been affected volition person nonstop announcement from NYCPS detailing however they were impacted and instructions connected how to enroll successful identity-monitoring services, escaped of cost.”

The New York City schools confirmed to person been affected are Fordham High School for the Arts, Long Island City High School, Lower East Side Preparatory High School, and Westchester Square Academy, according to an email from the New York State Education Department obtained by the Daily News.

Neither Lyle nor PowerSchool shared however galore section schools they were alert of that were impacted by the breach. Advocates lamented that DOE and the tech institution were not much forthcoming.

The New York Stock Exchange is decorated for the archetypal time of nationalist trading of the cloud-based acquisition bundle supplier PowerSchool connected July 28, 2021. (Shutterstock)

“It’s irresponsible for the DOE not to publicize this arsenic wide arsenic possible,” said Leonie Haimson, co-chairperson of the Parent Coalition for Student Privacy, an advocacy group. “People ought to beryllium taking vantage of this connection [of identity-monitoring services] arsenic rapidly arsenic possible. Because the longer they wait, the much apt this information volition beryllium misused.”

Haimson noted determination are fewer ways for alumni, for example, if impacted, to larn astir the breach unless quality outlets and the nationalist astatine ample are alerted. She added that earlier PowerSchool went nationalist astir the incident, she already had concerns astir the company, 17 antithetic programs of whose — with “extremely sensitive” pupil information — are listed connected the DOE website.

“I noticed successful [a] privateness addendum this enactment successful determination that ‘We volition abide by each federal, authorities and section privateness laws, but lone if they’re commercially reasonable’ — which seems to maine a existent reddish flag,” Haimson said.

PowerSchool, which archetypal became alert of the breach connected Dec. 28 done 1 of its lawsuit enactment portals, insisted it acted rapidly to support students.

“As soon arsenic PowerSchool learned of the incident, we engaged cybersecurity effect protocols and mobilized elder enactment and third-party cybersecurity experts to behaviour a forensic probe of the scope of the incidental and to show for signs of accusation misuse,” work a statement.

The PowerSchool information breach is the latest successful a drawstring of cybersecurity incidents to interaction the New York City Public Schools, which is convening a 16-member pupil information privateness “working group” to survey the issue, which Haimson volition beryllium on.

In 2023, the idiosyncratic information of astir 45,000 section students were compromised successful a planetary cyberattack connected a fashionable file-transfer software, MOVEit. The twelvemonth before, 820,000 existent and erstwhile students were impacted by a hack of an online grading and attendance strategy from Illuminate Education.

Originally Published: February 6, 2025 astatine 5:58 PM EST