More than 380,000 additional NYC students had personal info hacked, bringing total to over 1M
More than 380,000 additional city public-school students had their personal data hacked in a massive cyber attack — bringing the total number of kids affected to well over 1 million, The Post has learned.
The New York City Department of Education last week began sending letters notifying the hundreds of thousands of additional current and former students that they were victims of the cyber attack involving one of the DOE’s former software vendors, according to a letter sent to one graduate and reviewed by The Post.
The DOE initially reported that about 800,000 current and former students were affected but was notified by the vendor in October that scores of additional kids also were victims, the department said.
The hacked personal information includes a student’s name, date of birth, ethnicity, academic records and school enrollment, the DOE letter said.
No social security or financial information was breached, education officials said.
The DOE said it is offering the impacted students — some of whom even graduated from the system several years before the security breach occurred — two years of free credit and identity-monitoring services through vendor IDX to help protect against identity theft.
The security breach occurred in late December 2021 to early January 2022 with the DOE’s-then software company Illuminate, which offers grading, attending and messaging platforms.
The city public-school system has since severed ties with Illuminate.
The recent letter to affected former and current students provides a link to an updated security notice on the DOE website that says, “Approximately 387,000 current and former NYCPS students were newly identified as being affected by Illuminate’s data security incident in 2022.” A DOE rep said that figure is more like 381,000.
Another 94,000 current and former public-school students also are receiving a second notice because Illuminate identified “additional information of theirs that was affected by the 2022 data security incident,” the DOE said.
“New York Public Schools is writing you with an update on a data security incident that occurred two years ago involving the company Illuminate Education,” said the letter sent from DOE Chief Information Officer Intekhab Shakil and Chief Privacy Officer Dennis Doye to the affected students last week. “NYCPS is handling this situation with the utmost seriousness.”
In May 2022, city education officials notified the previously identified 800,000 students impacted by the breach.
In the recent letter, the DOE cybersecurity officials said Illuminate notified the city school system in October of last year that it became aware that “additional individuals were affected by the 2022 data security incident.
“You are one of the individuals who Illuminate recently identified as being affected by the 2022 data security incident,” Shakil and Doyle said in the letter to one of the affected students.
The DOE officials insisted they have beefed up cybersecurity protocols and emphasized that they are holding contractors accountable to protect students’ privacy.
“NYCPS is committed to protecting the privacy of our students’ personal information. We have a comprehensive security compliance process in place to help make sure that companies who access student information agree to comply with federal, state, and local laws and help protect your data,” the officials said in the letter.
“Following the 2022 Illuminate incident, NYCPS also took steps to further ensure that schools do not use software products that involve vendors receiving or accessing student information unless and until the vendors fully complete our compliance process.”
As for the two years of free credit and identity-monitoring services being offered to those affected, “There is no cost to you, but you must enroll and activate the services yoursel,” the DOE said.
The deadline to enroll is July 30, 2024.
The cybersecurity breach was not the only one that has impacted city public-school students and employees.
Last summer, 45,000 students, school workers and service providers were affected by a separate hack attack that included Social Security numbers, dates of birth, employee IDs and OSIS numbers – the nine-digit numbers issued to all students who attend a city public school.
Overall, 19,000 documents were accessed from the file transfer system MOVEIt, and 9,000 Social Security numbers were stolen, the DOE said in a letter sent to staff at the time.
As the security breaches came to light, the DOE’s former chief technology officer, Anuraag Sharma, resigned last summer.
Schools are not the only juicy targets of hackers.
Medical facilities that keep sensitive records of patients have been subjected to cyber attacks, notably the One Brooklyn Health network that oversees Brookdale, Interfaith and Kingsbrook Jewish hospitals.
DOE spokeswoman Jenna Lyle told The Post in an emailed statement Sunday, “As we have said from the start, the safety and wellbeing of all our students and staff, including the safety of their data, is our absolute top priority.
“This recent information, more than two years after the fact, is concerning and further validates our decision in Spring of 2022 to bar Illuminate from working with NYCPS or any of our schools. Our students and school communities deserve better.”
