Cybersecurity in schools: Experts say data breaches and other incidents put students at risk

As data breaches and other cyber incidents become more common at schools, experts say districts must be well-equipped to defend themselves against threats that could leave children at greater risk of identity theft. 

School districts are struggling to prioritize "things like field trips and busing, and this level of regular updated cybersecurity prevention is just not going to be feasible," said Michael Nizich, an adjunct associate professor of computer science at New York Institute of Technology. "I think what you're seeing is that these school districts are now becoming targets because of the value of data that criminals are starting to find."

More than 80% of K-12 organizations surveyed by the nonprofit Center for Internet Security reported experiencing a cyber incident. On Long Island, schools reported 28 cyber incidents in 2024, including some in which student information was shared with an unintended party, according to state education records obtained by Newsday through a Freedom of Information Law request.

Those incidents ranged from a student who gained access to a classmate's grade information to the data breach of a third-party contractor used by several schools throughout the Island, according to the records.

"At the end of the day, schools have an incredibly rich amount of data," said Randy Rose, vice president of security operations and intelligence at the Center for Internet Security in upstate East Greenbush. "People think it’s just grades, but it’s personal information about them, sometimes financial information. There’s data associated with kids that are in need. Data on kids that are in afterschool programs."

Rose said cyber incidents at schools could have "real life consequences" because they could impact afterschool initiatives and free meal programs, or disrupt exams.

And students, he said, are put at risk because data breaches that expose personal information could follow them into adulthood.

"When it comes time to go to college or get their first bank account, credit card, they're unable to," he said.

Ransomware attacks a concern

Experts said that about 45% of the time, cyberthreat actors targeted human behavior rather than technical vulnerabilities. Threat actors use cyberattacks such as online advertising to spread malware or through deceptive emails that seem to be from a legitimate source. 

Additionally, the threats are becoming more strategic, as these bad actors plan attacks during high-stakes times like exam weeks or right before a major holiday break, when people are more preoccupied.

Schools are targets for criminals who steal information and subject schools to ransomware attacks. In such an attack, a hacker infiltrates a school's information networks, disabling the system and demanding money to unlock it.

"They're going after them because there is a financial incentive," Rose said. "Even a rural school has a multimillion dollar budget."

PowerSchool, a cloud-based software provider used by thousands of districts, has said that it made the "difficult decision" to pay a ransom after a nationwide data breach in December. The breach, which exposed the sensitive information of thousands of students, staff and community members, impacted several Island schools. The breach reportedly occurred on Dec. 28, and was not included in the reports supplied by the state.

In a statement on Wednesday, the company said they were aware that "a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident." It was not clear if any Island districts were impacted.

Raptor Technologies breach

The 2024 records show that at least seven Long Island school districts were impacted by a breach of Raptor Technologies, a school safety and security software company that works with more than 5,000 school districts across the country. In the Smithtown district alone, the individual records of more than 1,100 students were affected.

In a statement, Smithtown's director of information technology, John Nolan, said the district uses a system from Raptor Technologies for management and communication during emergencies. In January 2024, Raptor informed the district of a "possible data issue that they first became aware of in December of 2023," he said.

Nolan said an "ethical cybersecurity researcher" found that transaction logs from Sept. 1, 2023, to Dec. 21, 2023, were not fully secured. The "researcher" then notified Raptor Technologies. The logs contained first name, last name, and district student ID numbers of 1,161 students, he said.

"Within 24 hours Raptor Technologies secured the data," he wrote in the statement. "Raptor Technologies has advised that there is no evidence that any of the information was subject to actual or attempted misuse. During this event, the district worked with the NYSED Data Privacy Office and notified all affected families directly by first-class mail." 

The Eastern Suffolk BOCES was also impacted. Chief operating officer David Wicks said they responded by making sure "none of data was compromised," then following up with the vendor and making sure the data was secure.

"To date we haven’t had any of our actual data compromised," he said.

Representatives for Raptor Technologies did not return a request for comment.

Protecting districts from attack

As cyber incidents become more frequent, school officials said they are taking precautions to combat these efforts.

In the Brentwood school district, students were asked to complete a survey as part of an effort to improve student outcomes.

Candice Cheng, the district's data protection officer, said in the course of troubleshooting she noticed that the district did not have a data protection agreement with the platform hosting the survey. Such agreements are required by the state.

"We determined that without the data protection agreement in place it was not going to be something we could continue with," she said.

Shortly after, the company and the district came to an agreement in which the student information, which included their first and last names and personal narrative statements, was deleted from the company’s database, Cheng said.

Thomas DeNicola, the district’s director of information technology and libraries, said no data was breached because of the quick action.

In the West Hempstead school district, director of technology Vincent Fleck said he sends out a monthly email to staff detailing scams and other potential threats.

But he said he sees more attackers going after faculty information such as Social Security numbers, direct deposit information and other financial data using personalized attacks. He said they often come in spurts and during slower times of the year.

"The hackers will pick Friday afternoons, they’ll pick Christmas break, they’ll pick Easter week," he noted. "They’re definitely getting more sophisticated."

He said the district uses software that enables artificial intelligence to comb through correspondence to detect threats, among other efforts.

Cheng and DeNicola, of Brentwood's technology team, said they also use multiple strategies to protect student and staff data.

"We’re always trying to leverage best practices," Cheng said. "We put products in place at every layer to try to protect us."

DeNicola said professional development is a big part of having a successful cybersecurity program.

"It’s that you’re educating the people that are actually the end users and that are in the system through ongoing PD [professional development], hitting the different stakeholder groups, policies in place and multiple layers in place," he said.

Experts' advice

Research by IBM found that the global average cost of a data breach was $4.88 million in 2024 — a 10% increase compared to last year and the highest total ever.

School districts should be prepared to go to a pre-malware state after an attack and have a comprehensive plan for responding to a breach, Nizich, of NYIT, said. He said schools should "change their philosophy" to understand that they are prime targets for attackers.

Rose added that school districts should create a culture of shared responsibility, enable direct lines of communication between IT teams and educators and implement technical controls. 

Rose and Nizich both stressed the importance of monitoring students' data, especially those already living in difficult circumstances.

"The data helps identify some of the most vulnerable people," Rose said. "Students that are at risk, whether through poverty, single-parent households or living through extended family."

Rose added: "The worst time to figure out what you're going to do in an incident is in the middle of an incident. You want to have that stuff well thought out ahead of time."

With Michael R. Ebert