Data Security Incidents

Parents and students who have reached age 18 have the right to be notified when their identifiable information has been the subject of unauthorized acquisition, access, use, or disclosure. Listed below are incidents of note. Impacted parents and students age 18 and older have been notified of these incidents. An incident of note is when the DOE relied on a vendor to assist with parental and student notifications. You can find out additional information about these events by clicking on the down arrow next to each incident.

Update on PowerSchool Student Information System (2025) 

PowerSchool (an online educational vendor) experienced a data security incident at the end of 2024. The incident impacted a PowerSchool application called PowerSchool Student Information System (SIS). New York City Public Schools as a system does not use PowerSchool SIS. A small number of New York City Public Schools currently or previously chose to use this application. 

What happened? 

A few months ago, a data security incident impacted PowerSchool SIS. NYC Public Schools, as a system, does not use PowerSchool SIS. However, a small number of NYC Public Schools independently chose to use this application. 

Here is what PowerSchool has said about the incident: 

• On December 28, 2024, PowerSchool became aware of a bad actor exporting data, including student information, from PowerSchool SIS.  

• Upon learning of the incident, PowerSchool engaged their cybersecurity response protocols to contain the incident. 

• There is no evidence of continued unauthorized access. 

• There is no evidence that other PowerSchool products were affected by this incident. 
  

How many people were affected? 

Approximately 3,437 students and 317 staff were affected by the PowerSchool SIS data security incident. 

When were students and staff notified of the incident?  

In late January, NYCPS confirmed that a small number of NYCPS schools were affected by this data security. These schools messaged their school community about the PowerSchool SIS data security incident on February 10, 2025.  

On March 7, 2025, NYCPS confirmed which students, staff, and data elements were affected by the PowerSchool SIS data security incident. We verified these students’ and staff contact information and began preparing notifications. NYCSP mailed notification letters to affected students and staff during the week of April 1, 2025. The letters describe what happened, what information was impacted, and how to enroll in free identity monitoring services.   

What information was involved?  

Each notification letter states what specific information of yours/your child’s was affected.  

All students who were affected by this incident had the following information disclosed: name, student ID number, date of birth, grade level, expected graduation year, enrollment information, and home address. Some students also had race/ethnicity, gender, classroom assignment, parent name, parent email, home phone number, emergency contact name and phone, and medical contact information disclosed.  

All staff who were affected by this incident had their file number/employee ID disclosed.  

I was affected by this incident. What can I do to protect my information? 

PowerSchool is offering two years of free identity monitoring services provided by Experian to students and staff whose information was affected by this data security incident. There is no cost to you, but you must enroll and activate the services yourself.  

Follow the instructions and use the activation code and engagement number in your notification letter to activate the identity and credit monitoring services. The deadline to enroll is May 30, 2025 at 12:59am EST. Your code will not work after this date and time. 

For over the phone assistance with enrollment, please contact Experian’s customer care team at 833-918-9464, Monday through Friday, 9:00am - 9:00pm Eastern Time. 

What is the deadline to enroll in identity monitoring services?  

The deadline to enroll is May 30, 2025 at 12:59am EST. Your code will not work after this date and time. 

Who can I contact with questions? 

For over the phone assistance with enrollment, please contact Experian’s customer care team at 833-918-9464, Monday through Friday, 9:00am - 9:00pm Eastern Time. 

For more information about the incident, you can visit https://www.powerschool.com/security/sis-incident/.  

If you have any questions about data privacy and security at NYCPS, please contact us at studentprivacy@schools.nyc.gov.

Malware at North Star Academy (MS 340/I.S. 340) (2025)

What happened?

On January 6, 2025, New York City Public Schools (NYCPS) discovered that a computer at North Star Academy was infected with malware. Upon discovering the computer was infected with malware, NYCPS disconnected the computer from the internet and turned the machine off. Later, an investigation conducted by the NYCPS Security Incident Response Team determined the malware program copied approximately 10,000 files from the computer to an external server controlled by an unauthorized third party.  

When did this happen?

New York City Public Schools (NYCPS) discovered on January 6, 2025, that a computer at North Star Academy was infected with malware.

What type of information was disclosed?   

Most of the copied files were internet links, flyers, and other resources that did not contain student information. However, approximately 250 of the copied files contained information about current and former North Star Academy students. 

• For most students, the impacted files contained some combination of the following information: student name, student ID number, date of birth, school email address, grade level, advisory class schedule, parent name and contact information, and scores on social and emotional learning assessments. 

• For some students, the impacted files included photos from school events, records related to meetings with the school social worker, and information about compensatory special education services. 

How many people were affected by this incident?

Approximately 424 current and former North Star Academy students were affected by this incident.

What can I do to protect my child’s information? 

NYCPS is offering affected individuals two years of identity monitoring services through our vendor, IDX. There is no cost to you, but you must enroll and activate the services yourself. 

To enroll your in identity monitoring services, visit https://app.idx.us/account-creation/protect, scan the QR image at the top of your letter, or call 1-800-939-4170. It only takes five minutes to enroll. You will be asked to provide the enrollment code found above. The deadline to enroll is June 10, 2025.

As an additional precaution, NYCPS encourages students to update their NYCPS account password. There are three different ways you and your child can reset their password: 

1. Students can reset their passwords through the Student Self-Service tool at  https://selfservice.schools.nyc/. To use the Student Self-Service tool, students must have created a PIN or set up security questions. 

2. Parents or guardians can reset student’s passwords in their New York City Schools Account (NYCSA) by visiting https://www.schoolsaccount.nyc. If you don’t have a NYCSA account, you can create one for free. 

3. Ask your school to reset your password for you.  

When is the deadline to enroll in identity monitoring services?

The deadline to enroll is June 10, 2025.

PowerSchool Student Information System (2025)

PowerSchool (an online educational vendor) experienced a data security incident at the end of 2024. The incident impacted a PowerSchool application called PowerSchool Student Information System (SIS). New York City Public Schools as a system does not use PowerSchool SIS. A small number of New York City Public Schools currently or previously chose to use this application.

 Here is what we have been told:

• On December 28, 2024, PowerSchool became aware of a bad actor exporting personal information from PowerSchool SIS. Upon learning of the incident, PowerSchool engaged their cybersecurity response protocols.
• PowerSchool does not have evidence that there is an ongoing risk. 
• PowerSchool does not have evidence that other PowerSchool products were affected by this incident.

NYCPS has confirmed that student information at a few NYCPS schools were affected by this data security. These schools messaged their school community about the PowerSchool SIS data security incident on February 10, 2025. 

We are working with PowerSchool to understand which students and what type of data were affected by this incident. If your child’s data was affected by this incident, you will receive a separate notice informing you how your child was impacted and how to enroll your child in identity-monitoring services at no cost to you.

We will update this webpage with more information as it becomes available. You may also visit PowerSchool’s SIS Cybersecurity Incident page for additional information.

Update on 2022 Illuminate Education Incident (2024)

The following is an update on the 2022 data security incident involving Illuminate Education (Illuminate).

What was the Illuminate data security incident?

Illuminate is a company that provides educational software applications and technology support to schools. Prior to June 30, 2022, several NYCPS schools used Illuminate applications to track student attendance, log assignments and grades, communicate with families, administer tests and exams, and help with other administrative work.

In January 2022, Illuminate became aware of suspicious activity in some of its applications. In March 2022, Illuminate confirmed to NYCPS that between December 28, 2021, and January 8, 2022, some of Illuminate’s databases containing student information were subject to unauthorized access. In May 2022, NYCPS notified current and former students who Illuminate identified as having been affected by this incident. NYCPS offered affected students the opportunity to enroll in two years of identity monitoring services, free of cost.

In May 2022, NYCPS directed all schools to stop using Illuminate products by the end of the school year. NYCPS schools no longer use Illuminate products.

More information about the incident and how NYCPS responded in 2022 is below under the “Illuminate Education (2022)” drop-down.

What is the update?

In October 2023, Illuminate notified NYCPS that it became aware that additional individuals and data elements were affected by the 2022 data security incident. NYCPS diligently worked to obtain from Illuminate complete and accurate information about which additional students and data were affected. NYCPS then had to validate this information in order to provide accurate notifications. 

Has there been another Illuminate data security incident?

No. This is an update on the data security incident that occurred in 2022.

How many students has Illuminate newly identified as being affected by the 2022 data incident?

Approximately 387,000 current and former NYCPS students were newly identified as being affected by Illuminate’s data security incident in 2022.

Approximately 94,000 current and former NYCPS students are receiving a second notice about this incident because Illuminate identified additional information of theirs that was affected by the 2022 data security incident.

What type of information was affected?

The data affected by the 2022 data security incident varied from student to student. Each notification letter describes what information was affected. Most impacted students had their name, student ID number, and/or data of birth disclosed. Many students also had at least one of the additional following types of data impacted:

• Demographic information such as age, sex, race, ethnicity, home language, zip code, parent contact information, and graduation date.
• Enrollment information such as grade level, teacher name, classroom number, schedule information, course name, course subject, and school name.
• Academic and behavior information such as GPA, reading level, test scores, disciplinary information, and attendance information.
• Special education information such as whether a student has an Individualized Education Plan (IEP) (but not the contents of the IEP itself).

No Social Security numbers were affected by this incident. 

Why am I receiving an update two years after Illuminate experienced the data security incident?

According to Illuminate, between Fall 2022 and Fall 2023, Illuminate conducted an additional investigation into the 2022 data security incident which revealed that more students and data were affected by the 2022 data security incident than initially determined. Illuminate notified NYCPS in October 2023 that it believed additional students and data were affected. NYCPS diligently worked to obtain complete and accurate information about which additional students and data were affected from Illuminate. NYCPS then had to validate this information in order to provide accurate notifications. 

Does NYCPS still use Illuminate products?

No. In May 2022, NYCPS directed all schools to stop using Illuminate products by the end of the school year.

Why does Illuminate still have data about NYCPS students?

Due to ongoing inquiries from government regulators, and class action lawsuits in which Illuminate is named as a defendant, Illuminate is required by law to retain data affected by the 2022 data security incident. All other data that was not affected by the 2022 data security incident have been returned to NYCPS.

I have been identified as being affected by the 2022 data security incident. What can I do to protect my information?

If you received a letter from NYCPS about this incident through our vendor, IDX, you have an opportunity to enroll in two years of free credit/identity monitoring services. NYCPS will cover the cost, but you must enroll and activate the services yourself.

If you previously enrolled in the free two years of identity monitoring services in 2022, then the services will automatically be extended two more years (for a total of four years of identity monitoring services). No action is required and there will be no cost to you. To verify that your identity monitoring services were automatically extended, log into your IDX account and check that the expiration date is 2026. If your membership was not extended, call 1-888-974-9412.

To enroll in credit and identity monitoring services for the first time, visit https://app.idx.us/account-creation/protect, scan the QR image at the top of your letter, or call 1-888-974-9412. It only takes five minutes to enroll. You will be asked to provide the enrollment code found at the top of your letter.

The deadline to enroll is July 30, 2024.

When is the deadline to enroll in identity monitoring services?

 The deadline to enroll is July 30, 2024.

Update on MOVEit Data Incident (2023)

What happened? 

On June 1, 2023, the DOE was notified of a technical vulnerability in MOVEit software. DOE used MOVEit to transfer files internally and to and from vendors. There were no warnings about this vulnerability until MOVEit announced it. The DOE fully patched the software within hours of learning about the vulnerability.

An internal investigation determined that approximately 19,000 unique DOE files were copied on May 28, 2023 as a result of the vulnerability. The types of files that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status. Our investigation also confirmed that the files were copied, but not deleted or edited. No other parts of the DOE network were accessed.

The DOE took the MOVEit server offline. It remains offline out of an abundance of caution. 

Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the magnitude and scope of the incident. As soon as the e-discovery firm provided us with a preliminary assessment on June 23, 2023, we provided information to the public and emailed both staff and families. 

The DOE is one of numerous government agencies and private companies around the globe to be impacted by this incident. The FBI is investigating the broader MOVEit breach, and the DOE is cooperating with the investigation. 

What is MOVEit? What did DOE use MOVEit for? 

MOVEit is software the DOE used to transfer files internally and to and from vendors.

Is DOE still using MOVEit? 

No. We took the DOE server hosting the MOVEit software offline. It remains offline out of an abundance of caution.

Is there anything DOE could have done to prevent this data security incident? 

No. This incident was the result of what is called a “zero-day” vulnerability in the MOVEit software. A zero-day vulnerability is when no one, not even the software developer, knows about the flaw. The DOE had no warnings about this vulnerability until MOVEit announced it.

The DOE complies with all privacy laws, including New York State Education Law 2-d, and has strong data security processes and systems in place. These include encrypting data in transit and at rest, using multi-factor authentication, regularly conducting internal testing, and implementing enhancements to ensure our applications and infrastructure remain protected. In addition, all DOE employees take data privacy training on an annual basis. Unfortunately, these privacy and data security measures could not have prevented the MOVEit incident. 

Visit the DOE’s Data Privacy and Security Policies page for more information about how the DOE protects information.

Why weren’t people made aware of the incident sooner?

Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the scope of the incident. As soon as the e-discovery firm provided us with a preliminary assessment on June 23, 2023, we provided information to the public and emailed both staff and families. 

Once we determined exactly who was impacted by the incident and which of their information was exposed, we began preparing notifications to the individuals whose confidential information was compromised. Affected students were mailed notification letters on August 7, 2023. The overwhelming majority of affected employees and third-party evaluators were mailed notification letters on August 15, 2023. A small group of affected employees were mailed notification letters on September 15, 2023. Individuals who receive the notification are being offered access to credit/identity protection services. 

What type of information was accessed? 

Approximately 19,000 unique documents were accessed. The types of documents that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status. 

A summary of the types of sensitive data impacted is below:

• Two or more of the following types of information were disclosed about students: name, student ID (OSIS) number, date of birth, and special education information. 

• For a small percentage of students, their parent’s names, home addresses, and/or phone number were also disclosed.

• For DOE employees whose sensitive information was impacted, all had their name disclosed, and for the vast majority, employee ID number and/or information about leave status was also disclosed.

• At least one of the following types of sensitive information was disclosed about third-party evaluators: date of birth, home address, and/or US tax identification number. 

• Social Security numbers were accessed for approximately 9,700 employees and third-party evaluators. No students’ Social Security numbers were accessed. 

The type of data impacted varied from person to person. Each notification letter states what specific information was affected. 

How many people were affected by this incident? 

Approximately 40,000 students, and approximately 170,000 DOE staff and third-party evaluators, had sensitive information exposed.

I was affected by this incident. What can I do to protect my information? 

If you receive a letter from the DOE about this incident through our vendor, IDX, you have an opportunity to enroll in two years of free credit/identity protection services. The DOE will cover the cost, but you must enroll and activate the services. 

To enroll in the credit/identity protection services, call 1-800-939-4170 or 1-888-429-9444, scan the QR code at the top of your letter, or visit https://app.idx.us/account-creation/protect. It only takes five minutes to enroll. You will be asked to provide the Enrollment Code found at the top of your letter.

IDX representatives are available Monday through Friday, from 9 am - 9 pm Eastern Time. Over-the-phone interpretation services are available.

The deadline to enroll in these services has been extended until December 15, 2023. 

What is the deadline for registering for the pre-paid package of identity protection services? 

The deadline to enroll in credit/identity protection services was November 7, 2023, but has been extended until December 15, 2023.

Has law enforcement been notified? 

Yes. The DOE is one of many government agencies and private companies around the globe to be impacted by the MOVEit incident. The FBI is investigating the MOVEit breach , and the DOE is cooperating with the investigation.

Community Letter on MOVEit Data Incident (2023)

Dear Families and Staff:

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers.

This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point.

We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

Thank you,
Emma Vadehra
Chief Operating Officer
New York City Department of Education

PETS (2023)

What happened? 

On the evening of February 7, 2023, the DOE deployed an update to the Personnel Eligibility Tracking System (PETS). A temporary bug in the system allowed vendors to view on screen and download information about their own employees as well as other vendors’ employees when conducting searches; search results were not limited to the employees of the vendor conducting the search. DOE was alerted to the bug on February 8, 2023 at 10:30am. The system was promptly taken offline and the issue was addressed. 

What is PETS?

PETS has personal information for current and former vendor employees who provide or have provided services to students.

The PETS application allows DOE vendors to manage their roster of employees who provide services to students. It also enables the DOE to track which vendors’ employees are eligible to work in schools and with students. 

When did this incident happen?

Between February 7, 2023 at 9pm until February 8, 2023 at 10:30am.

How many people were affected?

Approximately 80,000 current or former employees of DOE vendors who provide or have provided services to students. 

How will I know if I was affected?

Affected employees received notice about this incident in the mail during the week of June 26. The type of information in your PETS record that was exposed is specified in the letter you received. The letter also specifies whether your information was viewed on screen or exported.

I was affected by this incident. What can I do to protect my information?

For employees who received a letter from the DOE about this incident, the DOE is offering an opportunity to enroll in two years of free credit monitoring and identity theft monitoring services through our vendor, IDX. The DOE will cover the cost, but you must enroll and activate the services.

To enroll in credit monitoring and identity theft monitoring services, call 1-800-939-4170 or visit https://app.idx.us/account-creation/protect. You will be asked to provide the Enrollment Code found on the top of your letter. IDX representatives are available Monday through Friday, from 9 am - 9 pm Eastern Time. The deadline to enroll in these services is September 28, 2023.

What is the deadline for registering for the pre-paid package of identity protection services?

The deadline to enroll in identity and credit monitoring services is September 28, 2023.

What is the New York City Department of Education doing to prevent this kind of exposure from happening again? 

Upon learning of the bug, the DOE promptly took PETS offline and addressed the issue. The DOE also contacted the eight vendor users who accessed information about other vendors’ employees during the relevant time period, directing them to delete and destroy all copies of the information, physical and/or electronic. All eight vendor users confirmed they deleted and destroyed the records. 

The DOE is committed to strengthening our testing and review processes for all application updates, including future updates to PETS. The DOE is also considering enhancing PETS to restrict the personal information that a vendor can view and export.

Who should I contact if I have questions? 

For more information, please email SIRT@schools.nyc.gov.