A major data breach has impacted the New York City school system, putting the personal and sensitive information of approximately 45,000 students, school employees, and service providers at risk, according to city officials. This cybersecurity incident sheds light on the growing threats to K-12 cybersecurity nationwide and underscores the critical need for heightened measures to protect educational data.

On Friday, the Department of Education (DOE) in New York City announced that an array of confidential data, comprising social security numbers, birth dates, student OSIS numbers, and employee IDs, was compromised. The breach reportedly affected around 19,000 documents accessed through the MOVEit file transfer system, a service that has been targeted by a global hacking campaign. The compromised documents encompassed a variety of sensitive information, including student evaluations, progress reports, and records related to DOE employees’ leave status.

"We recently discovered a security vulnerability in the MOVEit file-sharing software, which has impacted both private and government customers globally," stated Nathaniel Styer, a spokesperson for the city DOE. The issue was addressed swiftly with NYC Cyber Command to resolve the vulnerability, and an internal investigation revealed that certain DOE files were affected. An ongoing collaborative investigation with the NYPD and FBI is underway, although details surrounding the number of affected staff members and the precise timing of the cyber attack remain undisclosed.

In response to the breach, the Council of Supervisors and Administrators Union is actively engaging with the Chancellor's team to mitigate the potential fallout. The Union is pushing for suitable credit fraud protection for those affected by the incident. According to the DOE, those impacted will be offered access to identity-monitoring services.

This cyber-attack on the New York City school system comes amidst a broader national context of increased concern about K-12 cybersecurity. Despite state-level initiatives, the education sector remains vulnerable to cyber threats, reinforcing the need for comprehensive, coordinated strategies.

In May, Minnesota took a significant step in tackling this problem, approving $24.3 million in one-time funding to address cybersecurity needs in school districts or charter schools. This decision was made in the wake of high-profile cyberattacks on Minneapolis Public Schools and the Minnesota Department of Education.

Some states, such as Connecticut, are offering shared services to mitigate cybersecurity risks in lieu of direct funding. For example, Connecticut provides schools with software to counteract distributed denial of service (DDoS) attacks.

The need for systemic action at the state level was underscored by the passing of 37 new cybersecurity laws across 18 states in 2022, which specifically impact the education sector. Notable among these are California's AB 2355, requiring school districts to report cyberattacks impacting more than 500 individuals, and Alabama’s HB 135, which allocated over $16 million for district technology coordinators and grants to improve cybersecurity.

As cyber threats become increasingly pervasive and sophisticated, a concerted effort by all stakeholders - at city, state, and national levels - will be required to ensure the cybersecurity of our nation's schools.

Protecting yourself is getting tougher but must be done to keep your business or government agency, school, state, city, etc. running.

Ask the experts at Apex Technology Services about how we can help your organization stay secure.