School cyber incidents on Long Island: Reported cases rose sharply in 2023
Steve Morgan, founder of the Northport-based Cybersecurity Ventures, a provider of data and analytics for the industry, said K-12 schools nationally, and globally, are facing "relentless cyberattacks ... Long Island is reflective of that." Credit: Rick Kopstein
Long Island schools saw a big increase in the number of reported computer hacks and other cyber incidents in 2023 compared with the prior year, and human error continued to be a major cause of exposing sensitive student information such as special education disabilities and disciplinary problems, records show.
Island schools reported 35 cyber incidents last year, a bump of 52% from 23 the year before, according to state Education Department records obtained by Newsday via a Freedom of Information Law request. The numbers showed a continuing year-over-year trend of increasing incidents, as the 2022 figure represented twice as many as in 2021.
Many of these cyber troubles were self-inflicted. Human error on the part of school workers caused about half of them, a total of 16, despite many districts implementing cybersecurity training for workers to spot suspicious emails and secure records.
The incidents disrupt school instruction and operations, even as they impact the lives of students, their families and teachers. When a student's personal information is wrongly made public, especially regarding special education students, the student could be subject to bullying, discrimination and threats, experts say.
Island school districts responded to these cyber incidents by deleting certain information, providing workers with additional training and notifying parents of the affected students, records showed.
Bay Shore Superintendent Steven Maloney said the district responded quickly to the problem there.
"The incident in question stemmed from a data processing error and was addressed appropriately," Maloney said. "Reporting and notification took place in accordance with New York State Education Law. The potential for future similar incidents was neutralized by a change in procedure.”
The Data Incident Reports highlight the often precarious state of privacy regarding student and staff information in the digital world. The reports show the great majority of these cyber incidents are not major disruptions that cripple a district's computer systems for months, but isolated events that most often affect, say, dozens of students.
At the same time, schools remain a prime target for cybercriminals who steal information and subject schools to ransomware attacks. In such an attack, a hacker infiltrates a school's information networks, disabling the system and demanding money to unlock it.
This month, Hempstead police and Nassau County district attorney’s officials said they are investigating a theft of up to $3.5 million from the Hempstead school district. Hackers intercepted the $3.5 million wire payment from the district to Evergreen Charter School, but police and banking officials were able to stop all but $300,000 of the payment from being obtained by the hackers, school officials said.
Hempstead school board President Lamont Johnson has not said how or when the hack occurred.
“It is an ongoing investigation and there is nothing else we are able to say at this time without compromising the investigation. The appropriate law enforcement officials are working on the case,” he said in a statement last Monday emailed by a representative. Johnson has said the theft will not affect district finances and that the district was insured.
The cyber incidents in Long Island schools mirror the national picture.
"K-12 schools nationally, and globally, are facing relentless cyberattacks. ... Long Island is reflective of that," said Steve Morgan, founder of the Northport-based Cybersecurity Ventures, a provider of data and analytics for the industry.
The cyber incidents from Long Island's 124 public school districts track with increases statewide, as New York had a record number of such events in 2022, many due to human error. The state had 140 reported incidents that year, nearly doubling the 71 reports seen in the prior year, according to the state Education Department's 2022 Annual Report on Data Privacy and Security, which is the most recent data available.
Across the country, there were more than 1,330 publicly disclosed cyber incidents involving K-12 schools from 2016 to 2022, according to the K12 Security Information eXchange, a Virginia nonprofit that tracks cyberattacks on schools.
These mistakes, intrusions and thefts can be costly — losses to school districts range from $50,000 to $1 million per school data breach, as they often require replacing computer hardware and improving cybersecurity to prevent future events, according to the Government Accountability Office.
Training can make a big difference, experts say.
"Training employees tops the list of what can be done to improve security because [many] cyber incidents are due to human error," Morgan said. "The key is ongoing training, not just one-time programs."
But training only goes so far, as cybercriminals have become increasingly adept at disguising their malicious emails as innocuous, said Doug Levin, national director of K12 Security Information eXchange.
"You're never going to train your way out of this," Levin said. He said software companies should build in safeguards that don't allow workers to inadvertently release information that should remain private. "It shouldn't be able to happen."
Sometimes, a single wrong click on a computer can mean trouble.
In September, the Jericho transportation director inadvertently hit "Reply All" in response to an email from a parent, thereby making the parent's email available to an entire parent group, records showed. The email contained the parent's name and address as well as the grade level of a student and the grade level and address of the student's sibling, records show.
"The director of transportation contacted my office to determine why a parent's emails were going out to an entire parent group," said Patrick Fogarty, the district technology director, in the report. The district notified the parent who had sent the email and the state Education Department, he said.
Many school districts have been improving their defenses against cyberattacks, installing software protections, employing tech specialists and establishing protocols in the event of an event.
"We're more prepared in every way," Fogarty said in an email to Newsday, noting the district has 24/7 monitoring of its networks, mandatory training for staff, and a new email system that allows for one-click encryption of sensitive data. Encryption converts information or data into a code, which can only be read by the person receiving the email.
Fogarty noted that the district has implemented email protections that include an automatic notification when a person inputs personally identifiable information, and encourages the user to either remove the information or enable encryption.
"We can't expect people to be perfect, so we have a robust system in place for breaches and inadvertent disclosures," Fogarty said. "Planning for a world without human error is a fool's errand."
The Uniondale school district was struck by a ransomware attack last April, when a tech employee working during spring break noticed a suspicious file in the computer system. Quick thinking and preparation helped limit the damage and down time on the system, the records said.
The Uniondale IT crew, working with outside cybersecurity experts, shut down the computer network and put in place a new one, and all desktop computers were cleared of data and provided new operating systems, records showed.
"Any data stolen or compromised was limited to that which was on the district's internal servers," Superintendent Monique Darrisaw-Akil said in an April message to the school community. The hacker was able to access student and personnel information such as email addresses, home addresses and phone numbers, she said.
The stolen information was posted on a dark web website as evidence that the cybercrime group had breached data security protocols, she said. She noted that much of the data is stored on cloud-based systems — such as the district's email system, and financial and student management and food service systems — which were not compromised, records showed.
"We do not believe any sensitive student, faculty, or district information was compromised," Darrisaw-Akil said in the message.
School districts don't have to be the target of a cyberattack in order for students and staff to be vulnerable to one. Schools are increasingly using contractors and vendors to provide student services and officials often don't have a good way to vet a company's cybersecurity, Levin said.
"When one vendor has an issue, it can affect so many people," he said.
New York Therapy Placement Services, a Farmingdale-based company that provides services for special-needs students, was the victim of a cyberattack in November. The breach included sensitive information of several Island districts and personal information, records said. Those districts included Baldwin, Freeport, Hewlett-Woodmere, West Babylon, Massapequa and Patchogue-Medford.
The breach of the company occurred around 11:30 a.m. Nov. 28 when a worker received an email that appeared to originate from a school district but was actually a phishing attack, according to the records. In a phishing attack, the cybercriminal masquerades as a reputable source and lures the targeted person to open an email, which allows the thief into the system.
The worker entered her credentials to retrieve the email and, within 24 hours, the phisher began sending emails using the employee's email account, the reports said. The hacker accessed an employee's file that contained the identities, addresses and dates of birth for 41 children in 28 school districts who were awaiting placements with therapists, records showed.
Upon discovering the breach, the placement company "secured the employee's email account, initiated an investigation and shared appropriate information with our school district partners and the New York State Education Department," said John Johnson, the company CEO, in a statement.
Johnson did not respond to a question on how many of the affected districts were on Long Island.
Looking ahead, Levin, of K12 Security Information eXchange, said many school officials remain tight-lipped about cyber incidents, refraining from reporting them to the state and, in some instances, taking months to alert victims. Newsday tried to reach 10 districts that had reports for comment, and only two — Jericho and Bay Shore — responded. The public relations representatives for some districts said officials were unavailable due to the winter break.
School officials often fear, Levin said, that discussing specifics of their networks could expose weaknesses in the system.
In terms of new trends, Levin said he's seeing more class-action lawsuits by victims of cyberattacks against those entities that handle their data.
Moreover, cybercriminals also are using the advances being made in artificial intelligence to better disguise their ransomware and phishing attempts, so people will open their emails and enter their passwords and credentials.
"Their tactics continue to evolve," Levin said, emphasizing the importance of cybersecurity in schools as a way to "lessen the impact on people involved and maintain the trust of the community."
With Arielle Martinez, Nicholas Spangler and Joie Tyrrell
Long Island schools saw a big increase in the number of reported computer hacks and other cyber incidents in 2023 compared with the prior year, and human error continued to be a major cause of exposing sensitive student information such as special education disabilities and disciplinary problems, records show.
Island schools reported 35 cyber incidents last year, a bump of 52% from 23 the year before, according to state Education Department records obtained by Newsday via a Freedom of Information Law request. The numbers showed a continuing year-over-year trend of increasing incidents, as the 2022 figure represented twice as many as in 2021.
Many of these cyber troubles were self-inflicted. Human error on the part of school workers caused about half of them, a total of 16, despite many districts implementing cybersecurity training for workers to spot suspicious emails and secure records.
The incidents disrupt school instruction and operations, even as they impact the lives of students, their families and teachers. When a student's personal information is wrongly made public, especially regarding special education students, the student could be subject to bullying, discrimination and threats, experts say.
WHAT TO KNOW
- Long Island schools saw a significant increase in the number of reported computer hacks and other cyber incidents last year compared to the prior year, rising from 23 to 35.
- About half of the problems were traced to worker mistakes such as publicly exposing students' disabilities, psychological evaluations or placements in special education, records showed.
- The reports highlight the often precarious state of privacy regarding student and staff information in schools.
Island school districts responded to these cyber incidents by deleting certain information, providing workers with additional training and notifying parents of the affected students, records showed.
Bay Shore Superintendent Steven Maloney said the district responded quickly to the problem there.
"The incident in question stemmed from a data processing error and was addressed appropriately," Maloney said. "Reporting and notification took place in accordance with New York State Education Law. The potential for future similar incidents was neutralized by a change in procedure.”
The Data Incident Reports highlight the often precarious state of privacy regarding student and staff information in the digital world. The reports show the great majority of these cyber incidents are not major disruptions that cripple a district's computer systems for months, but isolated events that most often affect, say, dozens of students.
At the same time, schools remain a prime target for cybercriminals who steal information and subject schools to ransomware attacks. In such an attack, a hacker infiltrates a school's information networks, disabling the system and demanding money to unlock it.
This month, Hempstead police and Nassau County district attorney’s officials said they are investigating a theft of up to $3.5 million from the Hempstead school district. Hackers intercepted the $3.5 million wire payment from the district to Evergreen Charter School, but police and banking officials were able to stop all but $300,000 of the payment from being obtained by the hackers, school officials said.
Hempstead school board President Lamont Johnson has not said how or when the hack occurred.
“It is an ongoing investigation and there is nothing else we are able to say at this time without compromising the investigation. The appropriate law enforcement officials are working on the case,” he said in a statement last Monday emailed by a representative. Johnson has said the theft will not affect district finances and that the district was insured.
The cyber incidents in Long Island schools mirror the national picture.
"K-12 schools nationally, and globally, are facing relentless cyberattacks. ... Long Island is reflective of that," said Steve Morgan, founder of the Northport-based Cybersecurity Ventures, a provider of data and analytics for the industry.
Mistakes can be costly
The cyber incidents from Long Island's 124 public school districts track with increases statewide, as New York had a record number of such events in 2022, many due to human error. The state had 140 reported incidents that year, nearly doubling the 71 reports seen in the prior year, according to the state Education Department's 2022 Annual Report on Data Privacy and Security, which is the most recent data available.
Across the country, there were more than 1,330 publicly disclosed cyber incidents involving K-12 schools from 2016 to 2022, according to the K12 Security Information eXchange, a Virginia nonprofit that tracks cyberattacks on schools.
These mistakes, intrusions and thefts can be costly — losses to school districts range from $50,000 to $1 million per school data breach, as they often require replacing computer hardware and improving cybersecurity to prevent future events, according to the Government Accountability Office.
Training can make a big difference, experts say.
"Training employees tops the list of what can be done to improve security because [many] cyber incidents are due to human error," Morgan said. "The key is ongoing training, not just one-time programs."
Sometimes, just a single wrong click can mean trouble. Credit: Dawn McCormick
But training only goes so far, as cybercriminals have become increasingly adept at disguising their malicious emails as innocuous, said Doug Levin, national director of K12 Security Information eXchange.
"You're never going to train your way out of this," Levin said. He said software companies should build in safeguards that don't allow workers to inadvertently release information that should remain private. "It shouldn't be able to happen."
Sometimes, a single wrong click on a computer can mean trouble.
In September, the Jericho transportation director inadvertently hit "Reply All" in response to an email from a parent, thereby making the parent's email available to an entire parent group, records showed. The email contained the parent's name and address as well as the grade level of a student and the grade level and address of the student's sibling, records show.
"The director of transportation contacted my office to determine why a parent's emails were going out to an entire parent group," said Patrick Fogarty, the district technology director, in the report. The district notified the parent who had sent the email and the state Education Department, he said.
Many school districts have been improving their defenses against cyberattacks, installing software protections, employing tech specialists and establishing protocols in the event of an event.
"We're more prepared in every way," Fogarty said in an email to Newsday, noting the district has 24/7 monitoring of its networks, mandatory training for staff, and a new email system that allows for one-click encryption of sensitive data. Encryption converts information or data into a code, which can only be read by the person receiving the email.
Fogarty noted that the district has implemented email protections that include an automatic notification when a person inputs personally identifiable information, and encourages the user to either remove the information or enable encryption.
"We can't expect people to be perfect, so we have a robust system in place for breaches and inadvertent disclosures," Fogarty said. "Planning for a world without human error is a fool's errand."
Quick thinking and preparation helped limit damage to the Uniondale system, according to records. Above, Uniondale High School. Credit: Newsday/Steve Pfost
Ransomware attack in Uniondale
The Uniondale school district was struck by a ransomware attack last April, when a tech employee working during spring break noticed a suspicious file in the computer system. Quick thinking and preparation helped limit the damage and down time on the system, the records said.
The Uniondale IT crew, working with outside cybersecurity experts, shut down the computer network and put in place a new one, and all desktop computers were cleared of data and provided new operating systems, records showed.
"Any data stolen or compromised was limited to that which was on the district's internal servers," Superintendent Monique Darrisaw-Akil said in an April message to the school community. The hacker was able to access student and personnel information such as email addresses, home addresses and phone numbers, she said.
The stolen information was posted on a dark web website as evidence that the cybercrime group had breached data security protocols, she said. She noted that much of the data is stored on cloud-based systems — such as the district's email system, and financial and student management and food service systems — which were not compromised, records showed.
"We do not believe any sensitive student, faculty, or district information was compromised," Darrisaw-Akil said in the message.
Other vulnerabilities
School districts don't have to be the target of a cyberattack in order for students and staff to be vulnerable to one. Schools are increasingly using contractors and vendors to provide student services and officials often don't have a good way to vet a company's cybersecurity, Levin said.
"When one vendor has an issue, it can affect so many people," he said.
New York Therapy Placement Services, a Farmingdale-based company that provides services for special-needs students, was the victim of a cyberattack in November. The breach included sensitive information of several Island districts and personal information, records said. Those districts included Baldwin, Freeport, Hewlett-Woodmere, West Babylon, Massapequa and Patchogue-Medford.
The breach of the company occurred around 11:30 a.m. Nov. 28 when a worker received an email that appeared to originate from a school district but was actually a phishing attack, according to the records. In a phishing attack, the cybercriminal masquerades as a reputable source and lures the targeted person to open an email, which allows the thief into the system.
The worker entered her credentials to retrieve the email and, within 24 hours, the phisher began sending emails using the employee's email account, the reports said. The hacker accessed an employee's file that contained the identities, addresses and dates of birth for 41 children in 28 school districts who were awaiting placements with therapists, records showed.
Upon discovering the breach, the placement company "secured the employee's email account, initiated an investigation and shared appropriate information with our school district partners and the New York State Education Department," said John Johnson, the company CEO, in a statement.
Johnson did not respond to a question on how many of the affected districts were on Long Island.
Looking ahead, Levin, of K12 Security Information eXchange, said many school officials remain tight-lipped about cyber incidents, refraining from reporting them to the state and, in some instances, taking months to alert victims. Newsday tried to reach 10 districts that had reports for comment, and only two — Jericho and Bay Shore — responded. The public relations representatives for some districts said officials were unavailable due to the winter break.
School officials often fear, Levin said, that discussing specifics of their networks could expose weaknesses in the system.
In terms of new trends, Levin said he's seeing more class-action lawsuits by victims of cyberattacks against those entities that handle their data.
Moreover, cybercriminals also are using the advances being made in artificial intelligence to better disguise their ransomware and phishing attempts, so people will open their emails and enter their passwords and credentials.
"Their tactics continue to evolve," Levin said, emphasizing the importance of cybersecurity in schools as a way to "lessen the impact on people involved and maintain the trust of the community."
With Arielle Martinez, Nicholas Spangler and Joie Tyrrell
Craig Schneider is a Long Island native and Stony Brook University alumnus. He joined Newsday as a general assignment reporter in January 2018 after 20 years at the Atlanta Journal-Constitution.
