Thursday, February 6, 2025

Alert: PowerSchool data breach at (at least) four NYC schools


 As reported in tonight's Daily News (free link here), contrary to previous DOE assurances, four NYC public schools were likely affected by massive PowerSchool breach:  . 

Fordham HS for the Arts

Long Island City High School

Lower East Side Prep 

                                                             Westchester Square Academy

About 3,000 students are currently enrolled in these schools, but former students may also have been affected if the school used the Student Information System in years past. 

Please let parents, students and former students at these schools know to ask questions at their schools as soon as possible.  They should then check for ID theft and sign up for free credit monitoring and ID theft insurance, offered by PowerSchool.  More info here.

What's unacceptable is how DOE still refuses to confirm to reporters the names of affected schools, or announce this publicly, as hundreds of other districts have done.  The information came instead from the NYSED Privacy office. 

NYSED has also put out guidance to districts, suggesting that PowerSchool may not be telling the whole story and that the data breach may affect not only former students, but also schools that no longer use the School Information System but once did.  

 
Yet I can find no mention anywhere on these schools websites nor on the DOE website where they alert parents to data breaches - or as the DOE euphemistically like to call them, "Data Security Incidents." 

Also very problematic is how the PowerSchool contract with DOE for seventeen data-hungry products implies the company will only comply with state and federal privacy laws when they consider them "commercially reasonable." I shared my concerns with DOE over a year ago about this and got no response.


Though up to now, only the PowerSchool SIS has been reported as breached, such lax privacy language applies to all these products and is unacceptable. As has not been widely reported, PowerSchool failed to take the most simple security protections such as two-factor authentication for user access, and instead, the hacker just obtained the password of a single employee.

By the way, according to many reports, teacher personal data was also exposed. Have teachers at the affected schools been informed?