School cyber incidents on Long Island: Number of reported cases more than doubled last year, records show
Long Island schools saw the number of reported computer hacks and other cyber incidents more than double last year — to 23 — compared to the prior year, with about half of the problems coming from worker mistakes such as publicly exposing students' disabilities, psychological evaluations or placements in special education, records showed.
Twelve of the cyber incidents were due to human error, according to state Education Department records obtained by Newsday via a Freedom of Information Law request. Overall, the number of cyber incidents on Long Island jumped from 10 reported in 2021.
The errors include a Bay Shore school district teacher publishing an online article that contained a pupil's name and status as a "classified" student, records show. The term "classified" can mean the student was in special education or has learning or behavior problems.
Floral Park schools accounted for two of the cyber mistakes, one in which a worker sent a notice to the wrong parents that identified students with disabilities. Then, a few weeks later, a worker sent a parent a schedule of special education meetings that included the names of students, the reports showed.
The Data Incident Reports highlight the often-precarious state of privacy regarding student and staff information in schools. Many workers lack an understanding of what information can and cannot be made public, according to the state Education Department's 2022 Annual Report on Data Privacy and Security.
“This suggests we are working too quickly and that there is a lack of understanding of privacy laws and protections, even among educational agency administrators,” Louise DeCandia, the state Education Department chief privacy officer, said in the data report.
Newsday requested cyber incident reports for the calendar year 2022.
The cyber incidents from Long Island's 124 school districts track with those statewide, as New York had a record number of such incidents last year, many of them due to human error. The state had 140 reported incidents, nearly doubling the 71 reported incidents seen in the prior year, according to the annual data report. Moreover, the findings showed that 45% of the incidents reported to the state last year were due to human error.
DeCandia attributed the jump in incidents, in part, to the increase in online learning following the pandemic. Each additional computer in a student's hands represents another potential entry point for a cybercriminal, she said.
In addition, DeCandia said, she's made extra efforts to instruct school officials that these incidents must be reported. She also pointed to a massive hack of the outside agency Illuminate Education, which provided data services for schools across the country, including Baldwin, Eastern Suffolk BOCES and Cold Spring Harbor.
Schools remain a popular target for cyberattacks such as ransomware, in which a hacker breaches a computer system, locks up the data and demands money to release it. Eight of the Island's reported cyber incidents last year came from hackers gaining unauthorized access to a system.
In July, Mattituck-Cutchogue workers saw that two of its computer servers were locked and that the hackers left a ransomware note. The cyberattack disrupted the district’s phones, internet and other software for about two months, the incident report said.
Superintendent Shawn C. Petretti said the damage could have been worse, but workers detected it within an hour of when it occurred. He credited the workers' cybersecurity training. Petretti said the district did not pay the ransom and the report said no personal information was compromised.
“When a cyberattack happens — you don't realize how every single thing that you do … from getting in and out of classrooms to classroom doors — all of those things are tied to our technology systems in one way or another,” he said.
Ransomware attacks can come with a hefty price tag. The Suffolk County government system suffered a crippling cyberattack in September, knocking out the county’s main site and numerous online services for nearly six months. The county refused to pay the hackers' demand of $2.5 million. Reports of the cost of the event range anywhere from $5.4 million for the investigation and restoration to more than $17 million for things such as new software and security licenses and hardware needed to replace older or damaged systems.
Steve Morgan, founder of the Northport-based Cybersecurity Ventures, a provider of data and analytics for the industry, said he believes Long Island schools had taken cybersecurity too lightly for years.
"It was not until the beginning of last year when schools had a major wake-up call — after the publicity around ransomware attacks — that we started to see a lot of districts scrambling to put better security in place," Morgan said.
Eastern Suffolk BOCES has a regional information center, one of a dozen throughout the state that provides data privacy and security support for school districts. The center, which offers a mix of free and paid services, recently began offering assessments to school districts of their cybersecurity and technology staffing needs, center director Darlene Roces said.
When school officials speak about cyber insurance, they often are speaking of two distinct forms of protection, Morgan said. One is a policy with an insurance company, which can cost only a few thousand dollars a year, and which could pay out as much as a million dollars. He estimated that the majority of Island districts have such a policy.
But such policies often don't include monitoring, testing and physically responding to an on-site cyberattack, he said. So some districts obtain a separate "incident response contract" with a cybersecurity company to cover such events. These contracts can cost tens of thousands of dollars a year, and Morgan said he believes fewer than half of Island districts have them.
"The biggest risk for any school is its ability to respond to, and recover, from a ransomware incident," Morgan said. "And most are woefully unprepared."
Jericho schools Superintendent Henry Grishman has said his district spends about $75,000 a year on cyber insurance, which includes monitoring, testing and incident response.
When a school worker makes a mistake that discloses personnel information, the incidents tend to affect fewer people than large cyberattacks and ransomware incidents, said Douglas Levin, national director of the K-12 Security Information Exchange, a Virginia nonprofit that tracks cyber incidents in schools. But the toll taken on individuals can be devastating, since files on students and staff can contain sensitive medical conditions, criminal records and psychological evaluations, Levin said.
In May of last year, a Bay Shore parent complained that a teacher published an online article that identified his son by name, and that he was a "classified student." In addition, the parent said that although he informed the district of the disclosure, the posting remained on the web and was subject to subsequent disclosures through retweets, according to the report and a separate review by the privacy office.
The state privacy office determined that the Bay Shore district had violated the federal Family Educational Rights and Privacy Act, or FERPA, which restricts the release of a student's personal information. Moreover, state education law requires school districts to report a wrongful disclosure within 10 days after learning about it — and the district failed to do so, the review noted.
In addition, state regulations require education workers to receive annual training on state and federal laws that protect personal information. Bay Shore's confidentiality training had not been updated since 2013, before the adoption of the education law, according to the review.
The district eventually submitted a report on the incident, noting that school officials contacted the teacher to ensure that the article was removed from the web. The district also took unspecified employment actions regarding the teacher and updated its confidentiality training, according to the report.
"The Bay Shore School District takes student privacy seriously," Superintendent Steven Maloney said in a statement. "This year, we have enhanced that training with the inclusion of presentations regarding privacy, specifically FERPA, during faculty meetings and other professional development."
Two other districts — Oceanside and Bayport-Blue Point — were criticized in recent data security audits by the office of state Comptroller Thomas DiNapoli.
For Oceanside, the auditors determined that district officials did not monitor whether certain employees, who handle sensitive data, followed district policy prohibiting internet activities outside their job duties. The activities include shopping, entertainment, personal email, online gaming and social networking. Ultimately, five of the district's computers required special software to resolve suspected infections, said the audit released in March.
Oceanside Superintendent Phyllis Harrington said the district has strengthened internal IT controls and emphasized compliance with the policy. All employees must complete annual training, she said.
In Bayport-Blue Point, auditors determined the district did not establish adequate network controls for its computer accounts. That led to an increased risk of unauthorized access and loss of data. Auditors found 281 user accounts that were no longer necessary, including many assigned to people no longer working for the district, the audit said.
Superintendent Timothy Hearney said the district has tightened procedures and hired a new personnel director in 2019 who instituted greater controls over the notification of employee status.
Meanwhile, schools are finding greater challenges in protecting their systems and data.
Levin, who tracks trends in cybercrime, said schools are finding it more difficult to secure cyber insurance against incidents and attacks. The insurance companies, having suffered major ransom payouts, have increased their rates and demanded that schools install some security measures to be eligible for the insurance, he said.
Morgan, for his part, said cyber problems — particularly hacks and ransomware attacks — often occur well before they are discovered. Oftentimes, weeks pass after the initial intrusion is made, while data is illegally accessed, viewed and stolen, he said.
"Right now, it is likely that schools on Long Island are cybercrime victims, but they don't know it yet," he said.
With Arielle Martinez
Long Island schools saw the number of reported computer hacks and other cyber incidents more than double last year — to 23 — compared to the prior year, with about half of the problems coming from worker mistakes such as publicly exposing students' disabilities, psychological evaluations or placements in special education, records showed.
Twelve of the cyber incidents were due to human error, according to state Education Department records obtained by Newsday via a Freedom of Information Law request. Overall, the number of cyber incidents on Long Island jumped from 10 reported in 2021.
The errors include a Bay Shore school district teacher publishing an online article that contained a pupil's name and status as a "classified" student, records show. The term "classified" can mean the student was in special education or has learning or behavior problems.
Floral Park schools accounted for two of the cyber mistakes, one in which a worker sent a notice to the wrong parents that identified students with disabilities. Then, a few weeks later, a worker sent a parent a schedule of special education meetings that included the names of students, the reports showed.
WHAT TO KNOW
- Long Island schools saw the number of computer hacks and other cyber incidents more than double last year — to 23 — compared to the prior year.
- About half of the problems were traced to worker mistakes such as publicly exposing students' disabilities, psychological evaluations or placements in special education, records showed.
- The reports highlight the often-precarious state of privacy regarding student and staff information in schools. A number of workers lacked an understanding of what information can and cannot be made public.
The Data Incident Reports highlight the often-precarious state of privacy regarding student and staff information in schools. Many workers lack an understanding of what information can and cannot be made public, according to the state Education Department's 2022 Annual Report on Data Privacy and Security.
“This suggests we are working too quickly and that there is a lack of understanding of privacy laws and protections, even among educational agency administrators,” Louise DeCandia, the state Education Department chief privacy officer, said in the data report.
Newsday requested cyber incident reports for the calendar year 2022.
The cyber incidents from Long Island's 124 school districts track with those statewide, as New York had a record number of such incidents last year, many of them due to human error. The state had 140 reported incidents, nearly doubling the 71 reported incidents seen in the prior year, according to the annual data report. Moreover, the findings showed that 45% of the incidents reported to the state last year were due to human error.
DeCandia attributed the jump in incidents, in part, to the increase in online learning following the pandemic. Each additional computer in a student's hands represents another potential entry point for a cybercriminal, she said.
In addition, DeCandia said, she's made extra efforts to instruct school officials that these incidents must be reported. She also pointed to a massive hack of the outside agency Illuminate Education, which provided data services for schools across the country, including Baldwin, Eastern Suffolk BOCES and Cold Spring Harbor.
Schools still seeing cyberattacks
Schools remain a popular target for cyberattacks such as ransomware, in which a hacker breaches a computer system, locks up the data and demands money to release it. Eight of the Island's reported cyber incidents last year came from hackers gaining unauthorized access to a system.
In July, Mattituck-Cutchogue workers saw that two of its computer servers were locked and that the hackers left a ransomware note. The cyberattack disrupted the district’s phones, internet and other software for about two months, the incident report said.
Superintendent Shawn C. Petretti said the damage could have been worse, but workers detected it within an hour of when it occurred. He credited the workers' cybersecurity training. Petretti said the district did not pay the ransom and the report said no personal information was compromised.
“When a cyberattack happens — you don't realize how every single thing that you do … from getting in and out of classrooms to classroom doors — all of those things are tied to our technology systems in one way or another,” he said.
Ransomware attacks can come with a hefty price tag. The Suffolk County government system suffered a crippling cyberattack in September, knocking out the county’s main site and numerous online services for nearly six months. The county refused to pay the hackers' demand of $2.5 million. Reports of the cost of the event range anywhere from $5.4 million for the investigation and restoration to more than $17 million for things such as new software and security licenses and hardware needed to replace older or damaged systems.
Steve Morgan, founder of the Northport-based Cybersecurity Ventures, a provider of data and analytics for the industry, said he believes Long Island schools had taken cybersecurity too lightly for years.
"It was not until the beginning of last year when schools had a major wake-up call — after the publicity around ransomware attacks — that we started to see a lot of districts scrambling to put better security in place," Morgan said.
Eastern Suffolk BOCES has a regional information center, one of a dozen throughout the state that provides data privacy and security support for school districts. The center, which offers a mix of free and paid services, recently began offering assessments to school districts of their cybersecurity and technology staffing needs, center director Darlene Roces said.
When school officials speak about cyber insurance, they often are speaking of two distinct forms of protection, Morgan said. One is a policy with an insurance company, which can cost only a few thousand dollars a year, and which could pay out as much as a million dollars. He estimated that the majority of Island districts have such a policy.
But such policies often don't include monitoring, testing and physically responding to an on-site cyberattack, he said. So some districts obtain a separate "incident response contract" with a cybersecurity company to cover such events. These contracts can cost tens of thousands of dollars a year, and Morgan said he believes fewer than half of Island districts have them.
"The biggest risk for any school is its ability to respond to, and recover, from a ransomware incident," Morgan said. "And most are woefully unprepared."
Jericho schools Superintendent Henry Grishman has said his district spends about $75,000 a year on cyber insurance, which includes monitoring, testing and incident response.
When a school worker makes a mistake that discloses personnel information, the incidents tend to affect fewer people than large cyberattacks and ransomware incidents, said Douglas Levin, national director of the K-12 Security Information Exchange, a Virginia nonprofit that tracks cyber incidents in schools. But the toll taken on individuals can be devastating, since files on students and staff can contain sensitive medical conditions, criminal records and psychological evaluations, Levin said.
In May of last year, a Bay Shore parent complained that a teacher published an online article that identified his son by name, and that he was a "classified student." In addition, the parent said that although he informed the district of the disclosure, the posting remained on the web and was subject to subsequent disclosures through retweets, according to the report and a separate review by the privacy office.
The state privacy office determined that the Bay Shore district had violated the federal Family Educational Rights and Privacy Act, or FERPA, which restricts the release of a student's personal information. Moreover, state education law requires school districts to report a wrongful disclosure within 10 days after learning about it — and the district failed to do so, the review noted.
In addition, state regulations require education workers to receive annual training on state and federal laws that protect personal information. Bay Shore's confidentiality training had not been updated since 2013, before the adoption of the education law, according to the review.
The district eventually submitted a report on the incident, noting that school officials contacted the teacher to ensure that the article was removed from the web. The district also took unspecified employment actions regarding the teacher and updated its confidentiality training, according to the report.
"The Bay Shore School District takes student privacy seriously," Superintendent Steven Maloney said in a statement. "This year, we have enhanced that training with the inclusion of presentations regarding privacy, specifically FERPA, during faculty meetings and other professional development."
Counselor shares sensitive link
Two other districts — Oceanside and Bayport-Blue Point — were criticized in recent data security audits by the office of state Comptroller Thomas DiNapoli.
For Oceanside, the auditors determined that district officials did not monitor whether certain employees, who handle sensitive data, followed district policy prohibiting internet activities outside their job duties. The activities include shopping, entertainment, personal email, online gaming and social networking. Ultimately, five of the district's computers required special software to resolve suspected infections, said the audit released in March.
Oceanside Superintendent Phyllis Harrington said the district has strengthened internal IT controls and emphasized compliance with the policy. All employees must complete annual training, she said.
In Bayport-Blue Point, auditors determined the district did not establish adequate network controls for its computer accounts. That led to an increased risk of unauthorized access and loss of data. Auditors found 281 user accounts that were no longer necessary, including many assigned to people no longer working for the district, the audit said.
Superintendent Timothy Hearney said the district has tightened procedures and hired a new personnel director in 2019 who instituted greater controls over the notification of employee status.
Meanwhile, schools are finding greater challenges in protecting their systems and data.
Levin, who tracks trends in cybercrime, said schools are finding it more difficult to secure cyber insurance against incidents and attacks. The insurance companies, having suffered major ransom payouts, have increased their rates and demanded that schools install some security measures to be eligible for the insurance, he said.
Morgan, for his part, said cyber problems — particularly hacks and ransomware attacks — often occur well before they are discovered. Oftentimes, weeks pass after the initial intrusion is made, while data is illegally accessed, viewed and stolen, he said.
"Right now, it is likely that schools on Long Island are cybercrime victims, but they don't know it yet," he said.
With Arielle Martinez