Parent leaders, elected officials, advocates & members of Chancellor’s Data Privacy Working Group urge Chancellor Ramos to postpone vote on student privacy regulation and allow parents the right of consent

The letter with full list of signers is posted here.

For immediate release: May 27, 2025

For more information:Leonie Haimson, info@studentprivacymatters.org; 917-435-9329 

Rosa Diaz, Rdiaz.cec4@gmail.com; 347-885-1687 

Shannon Edwards, shannon@aiforfamilies.com; 347-719-2161 

Kaye Dyja, kdyja@nyclu.org; 212-203-3532

   Parent leaders, elected officials, advocates & members of Chancellor’s Data Privacy Working Group urge Chancellor Ramos to postpone vote on student privacy regulation and allow parents the right of consent

On Wednesday May 28, 2025, the Panel for Educational Policy is scheduled to vote on the revisions to Chancellor’s regulation A-820, which would significantly weaken student privacy protections.  It would allow  the Department of Education to share a wide range of sensitive student data with third parties as long as they believe it would benefit the student or the school system.  Members of the Chancellor’s Data Privacy Working Group, NYC Council Members, and Community Education Council leaders, as well as several advocacy organizations including  the  NY Civil Liberties Union, the Parent Coalition for Student Privacy, Dignity in Schools Coalition, and the Alliance for Quality Education, have signed onto a letter to the Chancellor Ramos, urging her to delay this vote because of the risk to student safety and privacy if these regulations are approved.

 The data that could be shared by Department of Education officials with any third party they please, as long as they  considered it beneficial to the student or the system as a whole, would include a student’s name, email address, home address, phone number, and photo, as well as their parents’ contact information and a wide range of additional personal information.

Because of the concerns expressed by parents and advocates last October, including over 3,000 emails sent to the Chancellor and members of the PEP, the initial vote on these revisions was postponed and a Data Privacy Working Group (DPWG) was appointed by the Chancellor.  While  some significant improvements have been made as a result of the Group’s  discussions, the proposed regulations remain too risky, allowing the disclosure of highly sensitive student data with only an unreliable parent opt out method to prevent this. 

Rosa Diaz, the chair of the Chancellor’s Parent Advisory Council and a member of the DPWG said, “Parents deserve the right to control the dispersal of their children’s sensitive personal information, especially when it’s being transmitted to companies or individuals not performing any services to our schools.  We are especially concerned about how this information might be used to threaten the safety of our most vulnerable immigrant children, at a time when their privacy is being  assaulted and data misused by the Trump administration.”

Nequan McLean, another member of the Chancellor’s DPWG, and President of Community Education Council 16 and the Education Council Consortium said, “If approved, this regulation would open up all sorts of unacceptable harms to public school families, including potentially allowing charter schools to aggressively recruit students directly and  cherry picking the most academically successful ones by making their academic honors publicly available.  Already, parents are bombarded with charter school mailings and phone calls, even  after they have opted out of such mailings.  This harassment could worsen if the proposed amendment to the Chancellor’s regulation A-820 is adopted.”

Shannon Edwards, founder of the organization  AI for Families and a member of both the Chancellor’s DPWG and the  NY State Education  Data Privacy Committee, pointed out, “Too many children are already preyed upon by social media companies and are vulnerable to deep-fake porn and harassment, undermining their mental health.  Sharing their personal email and photographs without strict controls could merely exacerbate this dangerous trend.  We need far more rigorous oversight and regulation preventing the release of this information, rather than loosening the restrictions, as these revisions to the regulation would allow.”

“Parents may not realize that the DOE is handing over their child’s sensitive information to an unknown number of agencies and private companies. This could include a student’s address, photos, and more; in fact, there are only a few exceptions to what can be shared. We believe that caregivers should have the right to give or withhold consent for their child’s information to be shared. It’s reasonable for schools to have the ability to share some basic information for the purposes of events and communication, but for the DOE as a whole to be able to share almost any information without consent is overreach that disenfranchises students and families. We have seen that our new Chancellor is genuinely responsive to the concerns of families, so we are hopeful that she will consider pausing the vote and revisiting the regulations to allow for more parent agency,” said Kaiser, organizer with the Alliance for Quality Education.

“Given the excessive number of data breaches, the potential of identity theft, and troubling examples of student data already used for targeted advertising and commercial exploitation, as well as the enhanced risk of deportation for our most vulnerable immigrant students, the DOE’s student privacy regulations need strengthening rather than weakening at this time,” said Leonie Haimson, a member of the DPWG and co-chair of the Parent Coalition for Student Privacy.  “We urge the Chancellor not to push through these regulations without more careful consideration of their potential damage to student safety, and to require parent consent rather than opt out for these disclosures.”

###

 

Letter to the Mayor, Chancellor & Commissioner of Health: serious privacy concerns with the city's promotion of Teenspace online mental health services

  

Last Tuesday, Parent Coalition for Student Privacy, NYCLU and AI for Families sent a letter to the Mayor, Chancellor Banks, and the Commissioner of Health, expressing our deep privacy concerns with the city's contract with  Talkspace, and their promotion of their online mental health services for teens, called Teenspace.  Both the Mayor and Chancellor Banks have repeatedly hyped the great quality of these services and encouraged students to sign up, including Banks at a town hall meeting last weekend.  There are also links to Teenspace on the DOE website and on the websites of individual NYC public schools. 

The city is paying $26 million for these services, despite the fact that Teenspace collects a huge amount of very sensitive personal information from students before they even create an account  or are given access the company's privacy policy – and much of this information would be barred from collection by the federal student privacy law PPRA without parental knowledge and opt out, if DOE had contracted for these services rather than the city's Department of Health.  The list of these extremely sensitive questions is included in an appendix to our letter. 

To make things worse, the Teenspace privacy policy says students' personal data can be used for marketing purposes, which would be prohibited by the NY Ed Law 2D, again if the DOE had signed the contract. In 2022, several US Senators wrote to Talkspace, pointing out how the company also appeared to be taking advantage of a “regulatory gray area” in HIPAA, to exploit the data of their clients for profit. 

Especially with all the breaches and misuse of student data by DOE contractors, the privacy of NYC students should be better protected than this. As the letter notes, there has also been widespread consumer complaints about Talkspace’s inadequate counseling services and the overcharging of clients.  Our letter was covered by  Daily News , Chalkbeat , State Scoop  and K12 Dive.

After sending the letter, we additional learned that Talkspace has been sued in California for sharing the personal information of website visitors and those who signed up for accounts with TikTok, including the personal information of minors, only adding to our concerns. 

 

DOE's irresponsibility in employing AI products regardless of whether they protect student privacy

A week ago, the NY Post featured an article about a new AI program call Yourai sold by a company called LINC, or The Learning Innovation Catalyst, that the DOE is piloting in some Brooklyn schools.  The product is supposed to help teachers develop their lesson plans.  On Twitter last week, I pointed out the idiocy of the DOE administrator who claimed this would help teachers "think creatively."

What? “Teachers can enter students’ needs and the standards they want into the app and a lesson plan will be generated, Ross explained..She called it a “game changer” that will give teachers more time to “think creatively”. Ridiculous! https://t.co/aOFbQh3qp6

— leonie haimson (@leoniehaimson) March 16, 2024

I went on to point out that two of the three testimonials on the website from NYC teachers appeared to be fake, as I couldn't find their names in a list of DOE employees.

No evidence that 2 of 3 NYC people quoted with testimonials on Yourwai website were employed by DOE through 2023 after checking payroll records on SeethroughNY. There are NyC teachers named Michael Davis, but no admins w/ below names. If anyone knows differently pl let me know! pic.twitter.com/xkVI7YkqhY

— leonie haimson (@leoniehaimson) March 17, 2024

Today, the NY Post followed up with another article, pointing out that there were apparently eight fake testimonials from NYC teachers on the website, and that after being asked about this, the company said their names "were anonymized for compliance purposes," and have now been taken down..

Apparently, the co-CEO of the company, Jason Green, is a close pal of the Chancellor, and he and his family vacationed with the Chancellor's family on Martha Vineyard last summer.  The article added that LINC has received $4.3 million from DOE since 2018 for "professional development and curriculum," including $2.3 million so far  this school year.

What they did not mention is that, aside from the likely shoddiness of the product and the fake hype surrounding it, there are real concerns about these sorts of products including the risk to student privacy, as I pointed out on twitter.  

AI products are  well known for gobbling up huge amounts of personal student data, and then using it to improve their products and create new ones.  Yet this is specifically prohibited by the regulations of NY State's student privacy law, Ed Law § 2-d.

These regulations clearly state that "Third-party contractors shall not sell personally identifiable information nor use or disclose it for any marketing or commercial purpose" and that "Commercial or Marketing Purpose means the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students [emphasis added]."

I also pointed out that any district vendor or other third party with access to personal student data by law is supposed to have a specific privacy addendum to its contract.  This addendum is supposed to be posted on the DOE website here, but none can be found for LINC or YourAi.  Sadly, DOE continues to flout the law when it  comes to protecting student data and the transparency required by Ed Law § 2-d, as we have noted in the past.

On twitter, I highlighted specific weaknesses in LINC's online privacy policy, including that they allow other companies to track user behavior, including “3rd parties that deliver content or offers” meaning marketing.

Correction: I finally found privacy policy on company website saying they comply with 2D but unclear how as provide no details & says they allow other companies to track user behavior including “3rd parties that deliver content or offers” ie marketing. https://t.co/a8jr52LLcR

— leonie haimson (@leoniehaimson) March 17, 2024

I also noted that the Privacy Policy said that the company reserved the right to change it at any time for any reason without prior notification to users by changing wording online.  This violates FERPA, because then, districts are not in control of how student data may be used or disclosed.

 

After noting these red flags on twitter, the co-CEO Jason Green DMed me:

We are a minority company that has been partnering with NYCPS for years. Our mission is to help teachers better support learners. I am also recently married and a dog-lover. Would you be open to learning more about us? I would love to better understand your perspective as well.

I said sure, and then asked to see his contract with DOE, to ensure that it contained the required data privacy and security protections.   I didn't hear back until yesterday, when he said he was "working with his team" to get the contract, but assured me that they don't "directly" collect or use student data.  

When I asked what "directly" means, he said they don't collect student data at all.

Then, later that day, on Friday March 22, I went back to look at the company's Privacy Policy and noticed it had been updated that very day:

Low and behold, there was a bunch of new sections added, including that the company indeed "may have access to student data" or "teacher or principal data" as defined under Ed Law § 2-d: 

They had revised the section that previously said the company may change the Privacy Policy without prior notice.  It now says  "We will send advance notice of any upcoming changes to our Privacy Policy via e-mail."  The section about allowing other companies to use user data for marketing purposes was taken out, but this passage that replaced it is not much more reassuring:

Also, Third Party Companies may want access to Personal Data that we collect from our customers. As a result, we may disclose your Personal Data to a Third Party Company; however, we will not disclose your Personal Data to any Third Party Company for the Third Party Company’s own direct marketing purposes. The privacy policies of these Third-Party Companies may apply to the use and disclosure of your Personal Data that we collect and disclose to such Third-Party Companies. Because we do not control the privacy practices of our Third-Party Companies, you should read and understand their privacy policies.

So what does it say in the actual, DOE contract with LINC, that  legally binds their use and protection of student data?  Sue Edelman of the NY Post FOILed the contract from the NYC Comptroller and sent it to me on Friday.

To make a long story short, the only LINC contract the Comptroller's office had was this one from 2020, which never mentions Ed Law § 2-d, though law was passed in 2014, and doesn't contain its required provisions.  

Instead, the contract glosses over the entire issue of student privacy, and says instead that it complies with Chancellor’s Regulations A-820 "governing access to and the disclosure of information contained in student records." Yet Chancellor's Regulations A-820 has not not been updated since 2009. 

In his blog today, Peter Greene has one of his excellent take downs of the whole notion of AI producing better lesson plans than actual living teachers.  He includes this   quote from Cory Doctorow:

We’re nowhere near the point where an AI can do your job, but we’re well past the point where your boss can be suckered into firing you and replacing you with a bot that fails at doing your job.

But beyond the lamentable mechanization and degradation of education that is being promoted by NYC and other districts nationwide, in the name of mindless innovation, the DOE apparent lack of interest in protecting student privacy and following the law remains appalling.  

Dangers of DOE plans to expand online learning and ed tech

Last night I gave a presentation on the ways in which DOE is failing to protect student privacy at a meeting of CEC 15; today I'm testifying on the dangers to both privacy and the quality of education of DOE's plans to expand the use of online learning.  Both presentations are below.  

We are looking for NYC parents and teachers who are concerned about these issues to join a new working group to investigate and advocate on this issue.  If you're interested, please let us know at info@studentprivacymatters.org  Thanks! 

Latest breach of NYC student data, one in a depressing series, some previously unrevealed

Below are the emails DOE sent out Friday, Saturday, and Sunday about their latest data breach from the use of a file transfer system called MOVEit, affecting at least 45,000 students and untold numbers of staff. Articles about the breach were reported in the Daily News, Gothamist, NY Post and Chalkbeat, among others.

The first DOE email below was sent on Friday to reporters; the second on Saturday to “staff" and the third on Sunday to families. Lots of unanswered questions here, including why the DOE doesn’t call this a breach (likely for legal liability reasons); whose Social Security numbers were exposed, exactly when they discovered the breach, when they applied the recommended “patches” and when they took the program offline.

The vendor, Progress, announced the vulnerability on May 31 and offered software “patches” soon after. Minnesota Department of Education announced that student data was exposed on June 9^th, and posted detailed info about the breach on its website on that date,, informing how parents can protect themselves and their children from identity theft at that time..  

The federal cybersecurity agency CISA sent out an alert on June 7,that was picked up in several news stories, and again  more broadly about the hack on June 15, as did the University of Georgia and Johns Hopkins, that their student data was affected. That same day, the Russian hacking group known as CLOP started listing their victims, including many businesses, state agencies, financial institutions, and the National Student Clearinghouse.   

Instead of laying out when they had learned about the hack, the DOE email to reporters bragged that “DOE was identified as having been impacted by this vulnerability because of a proactive investigation led by NYC Cyber Command and DOE. NYC Cyber Command and DOE have deployed additional resources to support this investigation, patch vulnerable systems, and remediate the vulnerability.” A proactive investigation how?

It was not until June 24 that the DOE reported the breach on their website, which they call a "data incident." 

I sent in a request to the new DOE Chief Privacy Officer, Dennis Doyle, and and Nathaniel Steyer, for the contract and privacy/security provisions for MOVEit, supposed to be posted on the DOE website but of course isn't. I haven't gotten any response as of yet. 

As I told the Daily News and Gothamist reporters, this breach is yet another indication of a troubling lack of seriousness and clarity evinced by DOE when it comes to protecting personal student data. The huge Illuminate breach that occurred last year involved nearly one million NYC students, including many students who had long graduated - data which Illuminate should have deleted already.  

Before that there was a breach of the Upguard system in 2021, and before that, at least two breaches from data stored on unprotected Google drives; the first one which was not publicly admitted by DOE until the second one occurred.  

The Special Commissioner of Investigation excoriated the DOE at length in a Sept. 2021 letter that I obtained through a FOIL and the two Google drive breaches, as the DOE had falsely assured their office that they had fixed the problem after the first unsecured Google drive breach.  

In any case, in the annual SCI report for 2021, it was revealed that in January 2022, the DOE had noted that its “most significant corruption hazards [were] in the following areas: (1) the procurement, distribution and safeguarding of air purifiers and (2) data security.”

More recently this past March 2023, a breach of personal information occurred, including 50,000 records of special education students contained in billing records issued by a service provider called Encore Support Services, stored on an unprotected cloud drive. According to the expert who uncovered the breach, Jeremiah Fowler, each record contained a student’s name, OSIS number, home address, parent names, the billing amount, and diagnosis code. Here is a sample redacted portion of the billing record:

Yet after being contacted by a reporter about this breach, the DOE was adamant that they had no responsibility to do anything about it or even inform these families, because these were nonpublic school students whose services they were ordered to pay for via impartial hearings, and therefore the state studen privacy law did not apply and that they had no "contractual" obligations.

Yet I wonder, didn't those families have a right to know in any case? In addition, on Checkbook NY, I found that there were nearly a thousand DOE payments to Encore Support Services, since April 11, 2022, listed under "categorical payments for OTPS" "CW SE INSTR & SCHL LEADERSHIP - OTPS", "GE INSTR & SCH LEADERSHIP - OTPS" and even "UNIVERSAL PRE-K - OTPS", all categories which refer to services provided to public school students rather than those attending non-public schools. Nevertheless, the DOE convinced the reporter I had briefed and her editor not to write about the breach.

_________

From: Styer Nathaniel <NStyer@schools.nyc.gov>
Date: June 23, 2023 at 5:59:43 PM EDT
To: Press Office <press@schools.nyc.gov>
Subject: Update: NYC DOE Data Incident

Dear reporter – please see below for a statement from me and information on background from NYC DOE and the NYC Cyber Command.

"The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally. Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.”

Background from the DOE: Notifications to individuals whose confidential information was compromised will begin this summer. Along with the notification, individuals will be offered access to an identity monitoring service.

Within hours of learning of the vulnerability, DOE had fully patched the software as recommended by Progress and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Working with NYC Cyber Command, we immediately began an investigation to determine if data had been accessed without authorization and engaged a leading e-discovery firm to begin a full review of the impacted files DOE has also taken the server offline and is continuing to keep it offline out of an abundance of caution. The e-discovery firm performed an in-depth analysis, which produced preliminary results on June 23rd.

We are currently cooperating with both NYPD and FBI investigations into this breach.

The DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers.

Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual.

1. It is estimated that approximately 45,000 students, in addition to DOE staff and related service providers, were affected.  All individuals whose confidential information was compromised will be notified. 
2. Data impacted includes:
1. Social Security Numbers
2. OSIS numbers
3. Dates of birth
4. Employee IDs
3. Approximately 19,000 documents were accessed without authorization.
4. The types of documents that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status.
5. The types of data and information impacted for each individual varies from person to person. For example, not every individual’s SSN was impacted.

Additional Background from NYC Cyber Command:

1. Over the past several weeks, the global cybersecurity community has been responding to the disclosure of a “zero-day vulnerability” within a file-transfer software system called MOVEit. This is a vulnerability that was not previously known by the software company, Progress, or its customers. 

1. This vulnerability impacted customers around the world, including government entities such as the State of Maryland, the State of Illinois, and the United States Department of Energy.
2. As far as we know, this vulnerability allowed the threat actor to take files within the MOVEit application during a limited window of time. There is no indication that the threat actor attempted or was able to access other parts of the victims' networks.

1. As of now, no NYC Department of DOE (DOE) data has been published, nor has DOE been subject to a threat or ransom demand.
2. DOE was identified as having been impacted by this vulnerability because of a proactive investigation led by NYC Cyber Command and DOE. NYC Cyber Command and DOE have deployed additional resources to support this investigation, patch vulnerable systems, and remediate the vulnerability. There is no indication that this attack is ongoing.

 -- 

Nathaniel Styer

Press Secretary

New York City Public Schools

From: Communications <Communications@schools.nyc.gov>
Sent: Saturday, June 24, 2023 5:53:45 PM
Subject: Information Regarding Data Security Incident

Dear Staff: 

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

 

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included). 

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

 The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

 

Thank you, 

 

Emma Vadehra

Chief Operating Officer

New York City Department of Education

From: NYC Public Schools <noreply@schools.nyc.gov>
Date: June 25, 2023 at 1:29:05 PM EDT
Subject: Information Regarding Data Security Incident
Reply-To: NYC Public Schools <NoReply@schools.nyc.gov>

Dear Families:

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

Thank you,

Emma Vadehra

Chief Operating Officer

New York City Department of Education

 

 

 -- 

Nathaniel Styer

Press Secretary

New York City Public Schools

From: Communications <Communications@schools.nyc.gov>
Sent: Saturday, June 24, 2023 5:53:45 PM
Subject: Information Regarding Data Security Incident

Dear Staff: 

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

 

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included). 

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

 The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

 

Thank you, 

 

Emma Vadehra

Chief Operating Officer

New York City Department of Education

From: NYC Public Schools <noreply@schools.nyc.gov>
Date: June 25, 2023 at 1:29:05 PM EDT
Subject: Information Regarding Data Security Incident
Reply-To: NYC Public Schools <NoReply@schools.nyc.gov>

Dear Families:

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

Thank you,

Emma Vadehra

Chief Operating Officer

New York City Department of Education