Update: 8/25/21 - Another data leak from NYC schools was revealed - in which a Upguard, a security company, found that the personal information of thousands of students stored on an unencrypted Microsoft Power Apps portal exposed, along with other government and company data:
The portal belonging to the NYC Department of Education had a list called “contacts” with 412,220 records containing full names and district borough numbers, and a list called “Studentaccounts” with 291,955 records containing full names, usernames, district borough numbers, and email addresses for the “nycstudents.net” mail domain– likely the school-assigned email addresses for students, though it is difficult to verify the identities of minors with publicly available data.
More on this story here.
Recently, Chalkbeat reported on a data breach that affected over 1000 NYC students and teachers. The reporter followed up with another story that suggested this breach was caused by an insecure storage of student and teacher data on a Google drive, first discovered in January 2021 by high school students at Brooklyn Tech. Though these students reported this insecure situation to an administrator at their school immediately, it was ignored until they found in March 2021 that the problem had grown worse, when they emailed three DOE officials to alert them. I was asked to see if I could find out more by a NYC parent leader, and followed up with an email to Joe Baranello, the chief privacy officer of DOE.
I asked him for copies of the letters sent to parents and staff whose data was breached, and for more information about how these breaches occurred and what data elements were accessed.
To his credit, he responded within a few days with more details and provided four breach notification letters as attachments.
All four letters were dated July 30, 2021. Letters #1 and #2 were addressed to parents about an unspecified March 2021 breach; the second letter included reference to specific data elements that were accessed, with that information redacted. Letter #3 was addressed to parents whose children's data was breached in an earlier August 2020 incident. Letter #4 was addressed to teachers about the March 2021 breach.
In all cases, these letters inexplicably claim that this data was seen by only a single NYC student. Joe's email, which follows, included more information about the specific data elements that were breached. Below his message are several follow-up questions I asked him, including the fact that the data stored in Google drive appears to have been unencrypted, and the long delay in notifying parents aboutt these breaches, both of which appear to violate the state student privacy law.
If and when I get more information from DOE or elsewhere, I will update this post. Meanwhile, if you or your child were affected, please let us know at firstname.lastname@example.org . Thanks!
From: Baranello Joseph <JBaranello3@schools.nyc.gov> Sent: Monday, August 16, 2021 11:15 AM To: email@example.com Cc: Siciliano Lauren <LSiciliano2@schools.nyc.gov>; Sharma Anuraag <ASharma6@schools.nyc.gov>; Nathan Judy <JNathan@schools.nyc.gov>; Gantz Toni <TGantz@schools.nyc.gov>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees, officials confirm - Chalkbeat New York
Hello Leonie, Thank you for your inquiry. We have attached the template letters that were used for these notifications, which provide additional information on what occurred and what was viewed. Impacted individuals would have received the letter applicable to them. The information implicated varied by individual. To that end, the templates include variable fields that were populated based on the specific information implicated for each person.
Approximately 3,000 students and 100 staff were impacted. The variable fields are listed below, and which were involved varied widely from student to student. No social security numbers of students or parents were involved to our knowledge (the DOE does not collect parent or student SSNs for routine inclusion in its databases). For 5 employees, full SSNs were included. We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files. We have no indication that anyone's information was further shared or misused at this time, and the DOE implemented aggressive measures to prevent this from happening again. Out of an abundance of caution we are offering free credit monitoring service to impacted individuals. Student data:
- Student Academic
- Student Biographic
- Student Health
- Student Name
- Student ID
- Student Date of Birth
- Special Education
- Parent Information
- Social Security Number
- Social Security Number (Last 4 digits only)
- Date of Birth
- Employee ID
- Individualized Education Program
- Emergency Contact Card
- Government ID
- Special Education Remote Learning Plan
- Section 504 Plan
- Birth Certificate
Sincerely, Joseph A. Baranello Deputy Counsel & Chief Privacy Officer New York City Department of Education
From: firstname.lastname@example.org <email@example.com>
Sent: Monday, August 16, 2021 5:06 PM
To: 'Baranello Joseph' <JBaranello3@schools.nyc.gov> Cc: 'Siciliano Lauren' <LSiciliano2@schools.nyc.gov>; 'Sharma Anuraag' <ASharma6@schools.nyc.gov>; 'Nathan Judy' <JNathan@schools.nyc.gov>; 'Gantz Toni' <TGantz@schools.nyc.gov>; Leonie Haimson <firstname.lastname@example.org>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees
Dear Joe: Thank you for sharing the letters that were sent to parents and school staff about these breaches. I have several follow-up questions:
Question 1: In letter #3, dated July 30, 2021, DOE informed parents of the following: “In August 2020, a DOE student reported that they viewed various electronic files that contained education records and personal information about you and/or your child. The DOE immediately took steps to address it.” Why such a long delay in notification for this breach, especially as the NY State regulations for NYS Ed Law 2-d specifically require breach notification as early as possible and in no case more than 60 calendar days after its discovery? “
Question 2 – This Chalkbeat article reports that a group of Brooklyn Tech students accessed personal data in January 2021 and March 2021; why is there no notification to parents of the January 2021 breach? “The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.”
Question 3 – Why the delay in notification for the March 2021 breach referenced above, in letters #1 and #2, especially as DOE learned about it shortly thereafter, according to the Chalkbeat article? Again, the July 30 letter is more than 60 calendar days after the date of discovery, despite the notification requirements in the regs.
Question 4 – Why do all four letters refer to only one student accessing this data, when the Chalkbeat article refers to a group of students accessing much personal data in January and March?
Question 5- Has the DOE looked into the possibility that not only this group of high school students, but other individuals as well may have accessed personal data for thousands more students/teachers, given how easily this data was found? What further investigations are being done?
Question 6 – Clearly the data was not encrypted if students were so easily able to access it. Are you aware that the State privacy law and regs require that the sharing of personal data with any third party such as Google requires the encryption of all personal data in motion and in rest? Does DOE intend to comply with this requirement of the law in the future?
Question 7 – Why is the New York City Department of Education sending letters to parents from a P.O. Box in Suwanee, GA?
Question 8 - Why does the DOE tell parents in these letters that if they “want to discuss this matter or have any questions” about these breaches, they need to create an account with a private company called IDX, rather than the contact someone at DOE itself – especially the law required districts to appoint a Chief Privacy Officer to be the contact person for parents’ questions and concerns regarding privacy?
Moreover, the link provided in the letter requires parents to create an account with this company that that in turn obligates them to accept onerous Terms of Service that “will indemnify, defend, and hold harmless IDX, our subsidiaries and affiliates, and each of our respective officers, directors, agents, partners and employees (individually and collectively, the “IDX Parties”) from and against any loss, liability, claim, demand, damages, expenses or costs ("Claims") arising out of or related to (a) your access to or use of our Services or Website”?
Hoping for a timely response,Leonie Haimson
Co-chair, Parent Coalition for Student Privacy