A non-profit newsroom, powered by WNYC.

Another data breach at NYC schools exposes student and staff information

52 Chambers Street, the DOE headquarters in the Old Tweed Courthouse. — JB Nicholas / Gothamist

Published Jun 24, 2023

Modified Jun 24, 2023

We rely on your support to make local news available to all

Make your contribution now and help Gothamist thrive in 2025. Donate today

Gothamist is funded by sponsors and member donations

The New York City Department of Education estimates that the personal data of some 45,000 students was compromised as part of a breach involving the file transfer software MOVEit.

Officials said the compromised data includes social security numbers, birth dates and certain student evaluations, though the specific types of data breached varies per student. Employees’ information was also affected, officials said, but they did not identify how many staff members were involved. No education department data has been published as a result of the breach so far, officials said, and the department will begin notifying those affected this summer.

Multiple federal agencies and many companies were also affected by the breach, which is being attributed to Russian cybercriminals.

"The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education,” said department spokesperson Nathaniel Styer. “Currently we have no reason to believe there is ongoing unauthorized access to DOE systems."

It is the latest in a series of security breaches that have affected New York City public school students. Last spring, the data of some 820,000 students was compromised in a hack of a grading and attendance system from Illuminate Education. In 2021, there was a leak of data through Google Drive affecting about 3,000 students and 100 staff members.

Leonie Haimson, co-chair of the Parent Coalition for Student Privacy and a longtime advocate for stronger data security, said the latest breach should serve as a wake up call to the department.

“They’ve just shown a level of unseriousness about this,” she said. “It really behooves them, at this point, to clean up their act.”

Haimson said the city must ensure all vendors follow encryption protocols, as required by state data privacy law, and delete data as soon as possible: “They need to be straightforward and on top of it and they’re not.”

A report from the Special Commissioner of Investigation in 2021 said education department leadership had also identified data security as a top concern, stating “most significant corruption hazards [were] in the following areas: (1) the procurement, distribution and safeguarding of air purifiers and (2) data security.”

In a note to reporters revealing the breach on Friday evening, education department officials emphasized that they mobilized quickly, patching the software within hours of discovering the problem, and partnering with the NYPD and the FBI on their investigations.

This story has been updated to correct the name of the Parent Coalition for Student Privacy.