New revelations showing DOE’s continuing lack of concern for the privacy and safety of NYC students – please sign our letter to the Chancellor today!

May 16, 2025

1.Please read and sign our letter, already signed by several members of the Chancellor’s Data Privacy Working Group as well as advocacy organizations and NYC Council Members, in opposition to the weakening of DOE’s student privacy protections in their proposed amendments to Chancellor’s regulation A-820. If you would like to sign on, please fill out this form.

These revisions would allow DOE to disclose a vast array of highly sensitive student data to any individual or business they please, including students’ and parents’ names, email addresses, cell phones, home addresses, photos, and more, as long as they believe it would benefit the DOE or the students involved, with only a highly unreliable parent opt out method to prevent this. The weakening of this regulation is up for a vote at the at the May 28 vote of the Panel on Educational Policy, after the initial vote on this measure was delayed in October because of parent and advocate concerns and over 3,000 emails sent to the Chancellor and PEP members.

2. Evidence of the irresponsible practices of the DOE when it comes to protecting student privacy is further revealed by recent developments in the PowerSchool breach.

According to a May 7 announcement on the PowerSchool website and and numerous news accounts, extortionists have now contacted schools and districts affected by the original PowerSchool breach that occurred in December, threatening the further exposure of student data unless they are paid a ransom.

The original breach exposed the personal information of an estimated 60 million children, parents, and school staff across the US and in Canada, including an indeterminate number of current and former NYC students and teachers at four NYC high schools: Fordham HS for the Arts, Westchester Square Academy, Long Island City High School, and Lower East Side Prep.

It is unknown at this time whether any of these NYC schools have been directly contacted by the cyber criminals, as has occurred in the case of schools elsewhere, and DOE has still not posted anything about this new threat on its webpage entitled Data Security Incidents, where it is supposed to provide this sort of information.

Still to this day, DOE officials refuse to publicize the names of the four schools that had their student data stolen back in December, or to reveal publicly that former students at these schools likely had their information breached as well.

The DOE was also months late in informing parents at these schools that their children’s data had been breached, and even now, refuses to provide any guidance to the many NYC schools that they should stop using the 16 other invasive PowerSchool programs that collect a wide range of personal student and teacher data, even though it’s been shown that the company did not employ even the most basic security measures to prevent hacking. PowerSchool is now being sued by more than 20 different states, districts, and class action lawsuits as a result.

The DOE’s lackadaisical attitude towards protecting student data is especially relevant right now, as mentioned above, as proposals to weaken their Chancellor’s regulation, A-820 are on the agenda to be voted on by the PEP at the end of the month.

The only significant concession DOE has made in the latest round of revisions to this regulation is to require a written agreement with the third parties with whom they want to share all this sensitive student data , but as we have seen in the PowerSchool breach, as well as many others, including the Illuminate breach that exposed the data of more than a million NYC current and former students, their written agreements have done little to stop the illegal disclosures and commercial exploitation of student data because of insufficient oversight and enforcement.

More details on the earlier PowerSchool breach and the recent ransomware attacks are below.

Background

The original hack of the PowerSchool School Information Systems (SIS) began on December 19 and ended on December 28. On January 6, PowerSchool informed hundreds of districts and schools systems nationwide and in Canada that personal data stored in their student information systems had been accessed; later they admitted that they paid ransom to the criminals in exchange for their promise to destroy the data.

Many districts throughout New York state and elsewhere alerted parents to the threat, in early to mid-January, and shortly thereafter advised them how to sign up for free identity theft insurance and credit monitoring offered by PowerSchool. It is well known that student data is very valuable for purposes of identity theft, as most children do not already have a credit rating.

Yet DOE said nothing to parents about this at the four affected schools, and in fact, when reporters asked in January if any NYC schools were affected, DOE told them no.

It was not until February 3 that I learned in an email from the NY State Education Department Chief Privacy Officer Louise de Candia that four NYC schools did indeed have their student data hacked, and she gave me the schools’ names. I forwarded this information to the Daily News reporter, Cayla Bamberger, who wrote an article about the breach on February 6 (free link here). I also posted more details about the breach on my blog.

But amazingly, even then the DOE refused to confirm the names of the affected schools to reporters, or to post their names on their website, even though the State Education Department specifically advised districts to do so, to alert former students to the risk to their privacy and safety. They wrote:

Like the Illuminate Education data breach that occurred in late 2021/early 2022, former students may be affected by this breach. Therefore, we recommend that educational agencies put a notification on their web page to capture as wide an audience as possible.

Further delay and inadequate notification of affected families and students

Only following the Daily News article did principals send a message to parents at these four schools, saying that they were still looking into whether their children’s data had been breached.

Not until March 7, more than two months after the initial reports, did DOE apparently confirm internally that NYC students, former students, and staff had their data stolen by hackers, even though back in January there were relatively simple instructions on Reddit and elsewhere on how schools and districts could check their SIS log files to confirm which students and teachers were affected, and what data had been stolen.

It was not until three weeks after that, the week of April 1, that the DOE mailed notification letters to affected students and staff, and not until April 3 was the following message posted on the DOE website:

“Approximately 3,437 students and 317 staff were affected by the PowerSchool SIS data security incident. … All students who were affected by this incident had the following information disclosed: name, student ID number, date of birth, grade level, expected graduation year, enrollment information, and home address. Some students also had race/ethnicity, gender, classroom assignment, parent name, parent email, home phone number, emergency contact name and phone, and medical contact information disclosed. All staff who were affected by this incident had their file number/employee ID disclosed.”

Still this statement was far from complete, as the DOE continued to refuse to disclose the names of the affected schools on the website, or that former students also had their data breached. This was confirmed to me by the DOE chief privacy officer Dennis Doyle after I asked him about it. Though he said he didn’t know how many former students were affected, “it’s possible the impacted data goes as far back as the 2021-22 school year.” By looking at the demographic snapshot just for Long Island City HS, that means that another 1,321 students who were enrolled that year but have since graduated or dropped out may also have their data hacked.

The NY Ed Law 2D regulations pertaining to student privacy require that parents be informed as soon as possible about a breach of personal student data and in no case, more than 60 calendar days after its discovery:

“Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach.”

Of course, 60 days is too long in any case; State Ed originally proposed 45 days in their regulations, but some districts apparently complained this was too short a time frame.. NY state has now amended its general business law to require all businesses to notify affected individuals of breaches within 30 days, though it’s not clear if schools and district apply.

In any case, given that districts were informed of the PowerSchool breach on January 7, that would make the deadline in state law for notification March 8, 2025 – and yet parents in NYC were not sent letters confirming their kids’ data was breached until three weeks later.

Unfortunately, the DOE has said nothing publicly about these recent ransomware attacks, though there is an update on their website dated May 8, the day after PowerSchool and numerous media accounts, including NBC news, reported on these new threats to student privacy. Instead, the DOE only informed parents on that date that the deadline to sign up for PowerSchool’s offer of free identity theft insurance had been extended to July 31, while adding, “There is no evidence of continued unauthorized access”, even as parents throughout the country were being warned otherwise.

For example, schools in North Carolina received extortion emails on May 7, according to the state Department of Education’s public bulletin, posted the same day, alerting the public that these criminals appeared to have students’ and staffers’ names, contact information, birthdays, medical information, parental information, and in some cases even their Social Security numbers.

The North Carolina State Superintendent produced a template that districts were asked to send to parents, warning them not to respond if contacted by these threat actors, and not to open any suspicious links or emails related to this incident, or engage with anyone claiming to have this data.”

About the more recent ransomware threats, there are three possible scenarios according to the analysis in this article: that the original hackers did not delete the data back in January as they promised PowerSchool after receiving payment; or they had already sold or released the data to another group before deleting it. There is a third possibility: that these latest demands are empty threats, but as PowerSchool reported, the samples of personal data sent to schools as warnings in May match the data previously stolen in December.

DOE’s continued lack of oversight, transparency and enforcement when it comes to student privacy

All this sadly might have been prevented if DOE had taken the necessary precautions. The privacy addendum that PowerSchool provided to DOE several years ago, and still posted on the DOE website should have provided sufficient warning. It said that the company will:

“Review data security and privacy policy and practices to ensure they are in conformance with all applicable federal, state, and local laws & the terms of this DSPP [Data Security Privacy Plan].… In the event Processor’s policy and practices are not in conformance, Processor will implement commercially reasonable efforts to ensure such compliance.”

In other words, PowerSchool proclaimed that they would comply with federal and state privacy laws — and their own contract with DOE – only if they felt it was “commercially reasonable” and would not unduly affect their bottom line.

I also pointed out that DOE allows schools to use 17 privacy-invasive PowerSchool programs that collect a huge amount of sensitive teacher and student data, and asked for a meeting to discuss the many other ways in which the DOE consistently fails to properly vet their privacy agreements or to follow up with their vendors to ensure they are adhering to these agreements. Here is a copy of one of the slides I sent him.

Similar problems with lack of careful vetting and oversight occurred earlier with the Illuminate breach, as I wrote at the time, whose posted privacy addendum hinted that the data was not properly encrypted. And while the DOE contract with Illuminate said they were entitled to security audits, it is unclear if they ever asked for one.

In any case, I never got the meeting with Dennis I had requested nor did I receive any response to my warnings about PowerSchool.

Even earlier, according to a January 2022 expose in The Markup, Naviance was found to have allowed colleges to place ads within its platform, disguised as objective recommendations, including ads that targeted only white students. – a practice that is clearly illegal under NY State law.

In May 2024, a multi-state parent class action lawsuit was filed in California alleging that PowerSchool disclosed personal student data, including highly sensitive health and disciplinary records to its third-party “partners” for commercial purposes, illegal in California, New York and many other states. Among other data points, the lawsuit pointed out that Naviance collects student citizenship status, which is especially sensitive data these days given the threat of immigrant deportation. More on this lawsuit here. Yet this news did not deter Bain Capital from acquiring PowerSchool in October 2024 for $5.6 billion.

Following the December 2024 breach, many states and districts have now sued PowerSchool for failing to implement the most basic security measures to protect against breaches, including multi-factor authentication. These lawsuits are demanding damages, and the court to require the company to strengthen its overall security systems, undertake a third-party security audit, and appoint an independent party to monitor progress. Some of these lawsuits, including one filed by the Eastern District of New York, have now been consolidated into a single court case in California. Many parents have joined separate class action lawsuits, organized by private law firms as well.

Two weeks ago, I wrote Dennis Doyle once again, and asked him the following question:

“What oversight does DOE maintain to ensure that PowerSchool and vendors in general to hold to the security protections in their contracts, especially given the weak language in its privacy addendum? This breach revealed that PowerSchool failed to use the most basic security measures, like multi-factor authentication, leading to at least 23 lawsuits including many states with far less protective privacy laws than NY. Clearly, they did not employ data minimization or deletion, as the law requires, given that the data of former students was breached.”

This was his brief response: “ Our vendors undergo a security review conducted by DIIT and, for those storing data in the cloud, a cloud review conducted by OTI.”

No acknowledgement was made of the obvious fact that these security reviews failed to identify the profound weaknesses in PowerSchool’s cybersecurity practices, or any of the other breaches that showed the lack of required measures to secure student data.

I also asked Dennis if he intends “to ask PowerSchool to revise their privacy addendum to fully comply with Ed Law 2D, and/or to take any other actions to discourage schools to use the other 16 PowerSchool products posted on your website that DOE has made available to schools, many of them with access to extremely sensitive teacher and student data?”

He responded this way: “ As I stated earlier, our data-processing agreement with PowerSchool requires them to fully comply with Ed Law 2-d, notwithstanding any response to the contrary in the supplemental questionnaire.” Our full exchange is posted here.

This is irresponsible in my view. DOE should have advised schools following the breach to cease using any of the 17 products supplied to schools by PowerSchool that collect highly sensitive teacher and student data, and should have immediately notified parents at the affected schools of the threat to their family’s privacy, as other districts in the state and nation did. DOE should also have also posted on their website more information about this breach, including the names of the affected schools and warned former students at these schools that their data may have been accessed as well.

In any case, DOE should do this now, given the renewed ransomware threats, and put out a press release to ensure that all parents, students, and former students at these schools sign up for the two years of the identity theft insurance and credit monitoring services offered by PowerSchool, as well as alerting them not to respond to cybercriminals if approached.

Whether the DOE itself could be in legal jeopardy by failing to inform parents in a timely manner of the breach and waiting months to alert them to the steps they should take to prevent further disclosures, and/or the manner in which they ignored red flags in their PowerSchool privacy agreement, are questions that only an experienced attorney could answer.

Sorry for the length of this message, but I do hope in any case, you will read our letter in opposition to the further weakening of the DOE privacy regulations, and consider signing it.

Categories Newsletters, Updates | Tags: | Posted on May 16, 2025

Social Networks:

Comments are closed.

Donate to Class Size Matters!

Please click here to make a tax-deductible contribution to our work.

Search

Sign our petition on class size!

Sign here to urge NYC to implement a real, multi-year strategy to lower class size, as the law intends, without exempting up to half or more of all students.

Take our 5-minute class size survey!

Subscribe & Get updates!

Click here to sign-up and receive our newsletters about our work and updates on actions you can do to help!

Talk out of School: WBAI Sunday at 7 PM EST or as a podcast

Talk out of School radio show and podcast airs Sunday night at 7 PM on WBAI 99.5 FM or online at www.wbai.org when Leonie Haimson and Daniel Alicea interview guests and discuss issues affecting public schools in NYC, the state level and nationally. You can stream or subscribe to the podcast here; or at iTunes, Spotify or Google.

Skinny award dinner honoring Rep. Jamaal Bowman!

We held our annual Skinny award dinner Wed. June 28, 2023, honoring Rep. Jamaal Bowman, former Bronx principal and now a progressive trailblazer who is fighting in Congress to protect and improve our public schools. More photos on Facebook .

Why class size matters!

Click here to see our video: parents, teachers & students explain why class size matters

FAQ on new class size law!

The NY State Legislature passed a new law in June 2022, mandating that NYC schools phase in smaller classes in all grades. Click here to learn more about this law.