As reported in tonight's Daily News (free link here), contrary to previous DOE assurances, four NYC public schools were likely affected by massive PowerSchool breach: .
Fordham HS for the Arts
Long Island City High School
Lower East Side Prep
Westchester Square AcademyAbout 3,000 students are currently enrolled in these schools, but former students may also have been affected if the school used the Student Information System in years past.
Please let parents, students and former students at these schools know to ask questions at their schools as soon as possible. They should then check for ID theft and sign up for free credit monitoring and ID theft insurance, offered by PowerSchool. More info here.
What's unacceptable is how DOE still refuses to confirm to reporters the names of affected schools, or announce this publicly, as hundreds of other districts have done. The information came instead from the NYSED Privacy office.
NYSED has also put out guidance to districts, suggesting that PowerSchool may not be telling the whole story and that the data breach may affect not only former students, but also schools that no longer use the School Information System but once did.
Also very problematic is how the PowerSchool contract with DOE for seventeen data-hungry products implies the company will only comply with state and federal privacy laws when they consider them "commercially reasonable." I shared my concerns with DOE over a year ago about this and got no response.
Though up to now, only the PowerSchool SIS has been reported as breached, such lax privacy language applies to all these products and is unacceptable. As has not been widely reported, PowerSchool failed to take the most simple security protections such as two-factor authentication for user access, and instead, the hacker just obtained the password of a single employee.
