{"id":187600,"date":"2026-04-06T21:03:15","date_gmt":"2026-04-06T21:03:15","guid":{"rendered":"https:\/\/www.newsbeep.com\/us-ny\/187600\/"},"modified":"2026-04-06T21:03:15","modified_gmt":"2026-04-06T21:03:15","slug":"nys-school-data-incidents-surged-in-2025","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/us-ny\/187600\/","title":{"rendered":"NYS school data incidents surged in 2025"},"content":{"rendered":"

Reports of compromised student data and\u00a0cybersecurity\u00a0in schools surged\u00a0statewide in 2025,\u00a0according to\u00a0education officials.<\/p>\n

Statewide, data incident reports\u00a0rose\u00a072%, from 384 in 2024 to 662 in 2025,\u00a0an annual report issued by the state Education Department’s chief privacy officer found. On Long Island, schools reported\u00a044 data\u00a0incidents in 2025, a jump\u00a0from 35 the year prior, according to figures provided by the state.<\/p>\n

\"visualization\"\/<\/p>\n

In 2021, 71 incidents were reported statewide.<\/p>\n

“The landscape over the last five years\u00a0has increased in terms of the cyberthreat activity that K through 12 schools are facing,” said TJ Sayers, senior director of threat intelligence at the Center for Internet Security, a nonprofit based in upstate Greenbush. “They are low-hanging fruit in some cases and are easy to be attacked.”<\/p>\n

WHAT NEWSDAY FOUNDData incident reports filed by school districts\u00a0surged statewide in 2025.Some school districts continue to fear sensitive data will be exposed and land in the wrong hands.\u00a0Experts said schools must juggle a complicated network of technology, including outside contractors that run their own systems.\u00a0<\/p>\n

Data incidents involve any event where confidential information\u00a0is improperly exposed or shared, either maliciously or accidentally.\u00a0They can range from a clerical error to data breaches and phishing scams; most, but not all, involve information stored digitally.<\/p>\n

Experts said the uptick in such incidents underscored how vulnerable schools are and the limitations they face while managing\u00a0an array of digital systems.\u00a0Budgetary constraints could prevent schools from hiring dedicated cybersecurity staff,\u00a0deploying the most current safeguards and investing in the latest technology. Schools also\u00a0rely\u00a0on third-party vendors they have little oversight over,\u00a0experts said.<\/p>\n

Douglas Levin, national director of the K12 Security Information eXchange, a Virginia nonprofit that tracks cyber incidents at schools, said districts handle a\u00a0patchwork of technology that can be more complicated than that of private businesses. For example, schools may have a range of systems online, from their building security and cameras to their food service payment programs.<\/p>\n

But, in contrast to the private sector, schools do not necessarily have the funding to prioritize cybersecurity, industry specialists said.<\/p>\n

\u201cSchool leaders have to balance how much money they are going to devote to cybersecurity versus some other priority,\u201d Levin said.<\/p>\n

Despite making improvements in recent years in both identifying incidents and incorporating more robust security measures, he said,\u00a0\u201cThe [schools]\u00a0still struggle with these issues. And we see school districts, every week across this country, responding to incidents that they face.\u201d<\/p>\n

‘Our biggest fear’<\/p>\n

In 2025, the state reported\u00a0341 data incidents were due to human error \u2014 when\u00a0someone accidentally shares private information\u00a0to an unintended person or group. About one-third, or 230, involved “unauthorized access or disclosure by a third-party contractor.”\u00a0External breaches\u00a0or hacking accounted for 221 incidents, according to the state report.<\/p>\n

Phishing was cited in 32 reports. Two were blamed on ransomware and malware attacks, the report found. (Individual data incidents could have more than one cause.)<\/p>\n

A breakdown for Long Island was not available.<\/p>\n

\u201cI think our biggest risk, and also our biggest fear, is data breaches,” said James Richroath, executive director of technology for the Patchogue-Medford school district. “Is student information or staff information getting in the hands of people that it shouldn’t be in?\u00a0That’s something that we take very seriously, and we are concerned about.”<\/p>\n

\"James<\/p>\n

James Richroath, of the Patchogue-Medford district, said data breaches are “our biggest fear.” Credit: Newsday\/Steve Pfost<\/p>\n

Those concerns hit home\u00a0when the information system at\u00a0PowerSchool suffered what is\u00a0considered to be the largest student\u00a0data breach nationwide. It impacted at least nine districts and an educational agency<\/a>\u00a0on Long Island in late 2024, and\u00a0continued to affect some schools the following year.<\/a>\u00a0Most of the 221 data breaches in\u00a02025 were related to PowerSchool, according to the state report.<\/p>\n

Another big data breach occurred in 2022 when the technology company Illuminate Education was hacked, leaking the personal data of 1.7 million students in New York, including some on Long Island. New York Attorney General Letitia James in November reached a $5.1 million settlement with the company, which was found to lack basic safeguards and must now “take steps to enhance and strengthen their cybersecurity practices,” according to a news release.<\/p>\n

Leaked\u00a0data could have yearslong security repercussions for families who have\u00a0to monitor their credit, according to experts.\u00a0PowerSchool offered two years of free credit monitoring and identification protection for students and educators who were affected.<\/a><\/p>\n

Examples of phishing in 2025 included\u00a0a fake request for transcripts and\u00a0a scam email from an internal email address that included a form. Some students completed the form with their name, phone number, email and bank information, according to the state report. In another case, administrators were sent\u00a0spoofed emails from one of their law firms, the report said.<\/p>\n

Such scams can\u00a0cost districts millions of dollars. Earlier this\u00a0month, the Nassau County District Attorney\u2019s Office announced a California woman had been\u00a0indicted on grand larceny charges after a 2024 email\u00a0purporting to be from the finance director of a K-12\u00a0charter school requested the Hempstead school district send payment to a new bank account. The district transferred $3.5 million into the account,\u00a0which allegedly belonged to the woman. A district spokesman said\u00a0approximately $3.3\u00a0million was later recovered.<\/p>\n

Richroath said phishing has been an issue in his district.<\/p>\n

“We’re a big district\u2026.Especially during the holiday season, we’ll see an increase in the number of phishing attempts for free gift cards that are fake and stuff like that,” he said.<\/p>\n

Compliance concerns<\/p>\n

Another hurdle schools face is making sure applications and third-party vendors they contract\u00a0with comply with state, federal and local policies intended to keep personal data safe.<\/p>\n

Schools that work with third-party vendors to handle\u00a0personal student information are required to include protections like a\u00a0data security and privacy plan, a\u00a0parents’ bill of rights and minimum technical safeguards, according to a\u00a0state Education Department spokeswoman.<\/p>\n

Richroath\u00a0said even though the district follows the safety and security policies required by the state,\u00a0<\/a>overseeing third-party vendors places an unnecessary strain on them.<\/p>\n

He said vendors must sign annual contracts regarding the policies. But even with these provisions, most schools have to trust third-party companies are adhering to\u00a0all the proper procedures, experts said.\u00a0<\/p>\n

\u201cIt’s just a lot on the district’s plate…\u00a0we should be worried about that, but it puts a lot\u00a0to make sure that we’re getting these contracts signed annually,\u201d Richroath said. He added,\u00a0\u201cEven though we do all the ed law paperwork, are they following that and are they reporting it to us in a timely fashion?\u201d<\/p>\n

He said it would be helpful for the state to compile a list of vetted applications and vendors that districts can use. Additional funding, whether through federal or local grants, would also help strengthen their measures, he said.<\/p>\n

Sandeep Dhillon, director of district technology services at Nassau BOCES, said his organization runs a\u00a0managed security operations center that partners with industry providers and has\u00a0dedicated cybersecurity staff.\u00a0He said roughly two dozen\u00a0districts have signed up for the program.<\/p>\n

“We have analysts dedicated to specific schools, and\u00a0we ramp up staff as the demand goes higher,” he said.<\/p>\n

\"Sandeep<\/p>\n

Sandeep Dhillon at Nassau BOCES in Westbury. He said about two dozen districts partner with the agency for cybersecurity. Credit: Morgan Campbell<\/p>\n

Nassau Board of Cooperative Educational Services uses automation and artificial intelligence\u00a0to cut down on costs, he said. The\u00a0 price per district depends on the number of students and staff but he said\u00a0the program is more affordable\u00a0than many other third-party options.<\/p>\n

He said the security team has seen an uptick in phishing as well as “spear phishing,” when someone\u00a0attempts to obtain sensitive information through email by\u00a0impersonating a trusted source.\u00a0<\/p>\n

“The threats are now more geared toward the entire ecosystem in schools. Often what is missing is having visibility into platforms, applications and have a strong vetting process which requires the additional staff and budget,” he said.<\/p>\n

Dhillon and other experts said AI is increasingly being used to create more sophisticated schemes.\u00a0Sayers,\u00a0at the Center for Internet Security, said AI is playing\u00a0a bigger role in creating codes used in ransomware or malware attempts. In particular, he said he is seeing more large language models being utilized.<\/p>\n

\u201cWe saw some interesting signs that malware authors are leveraging AI to help compile the code,\u201d and spread malware through networks, he said.\u00a0This generates scams that appear more realistic and could be committed even by people with little software knowledge.\u00a0<\/p>\n

\u201cWe very rarely see any typographical mistakes in phishing lures anymore,” he said.\u00a0Fake websites intended to scrape information now appear to be a \u201cmirror image of a legitimate website,” he said.<\/p>\n

\u201cAs AI takes hold, the barrier for entry has never been lower for malicious actors to enter this space, so we’re anticipating K-12s to remain a leading target into the future,\u201d Sayers said.<\/p>\n

Newsday’s Michael R. Ebert contributed to this report.<\/p>\n

DATA PROTECTION TIPS<\/p>\n

Experts said schools, parents and students should take proactive steps to make sure their data is protected. Here are some tips they offer:<\/p>\n

Any programs with artificial intelligence should be reevaluated to determine their privacy and security terms. Software and security systems should\u00a0be updated.Schools must have a clear incident response plan that covers how\u00a0and when to notify parents and staff of compromised data.Staff and students should also be trained to identify threats, including through phishing simulations. \u00a0When a breach is reported, student’s credit should be frozen and parents should\u00a0monitor for new accounts opened in their names.Passwords should be long,\u00a0unique and\u00a0not reused. Multi-factor authentication\u00a0should be enabled.Students should\u00a0report suspicious messages, logins\u00a0or device behavior to\u00a0school tech staff quickly. Early reporting can limit the spread of ransomware or phishing campaigns.\u00a0Students should be careful\u00a0sharing\u00a0their personal information in forms or apps.\u00a0\"Lorena<\/p>\n

Lorena Mongelli has been reporting for Newsday since 2021. Prior to that, she covered breaking news at the New York Post.<\/p>\n","protected":false},"excerpt":{"rendered":"Reports of compromised student data and\u00a0cybersecurity\u00a0in schools surged\u00a0statewide in 2025,\u00a0according to\u00a0education officials. Statewide, data incident reports\u00a0rose\u00a072%, from 384…\n","protected":false},"author":2,"featured_media":187601,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[67,9,11,10,49,51,50,8017],"class_list":{"0":"post-187600","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-new-york","8":"tag-education","9":"tag-new-york","10":"tag-new-york-headlines","11":"tag-new-york-news","12":"tag-new-york-state","13":"tag-new-york-state-headlines","14":"tag-new-york-state-news","15":"tag-state-region"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/posts\/187600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/comments?post=187600"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/posts\/187600\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/media\/187601"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/media?parent=187600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/categories?post=187600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us-ny\/wp-json\/wp\/v2\/tags?post=187600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}