A data breach at Plainedge Public Schools last month exposed records of nearly 100 employees in an incident that officials said since has been resolved, according to a report the district filed with the state Education Department.
The incident report, which Newsday obtained through a Freedom of Information Law request, said 99 employees’ names, phone numbers, emails and ID numbers appeared to have been exposed in an external system breach involving "malicious code."
Schools have become prime targets for cybercriminals because they hold data that can be sold or used for identity theft and fraud, cyber experts said.
From 2019 to 2021, at least 29 ransomware, computer hacks and other cyber incidents were reported by Long Island schools, including a major ransomware attack in September that prompted Manhasset schools to temporarily shut down its computer network.
It is unclear how the Plainedge incident was detected and what other sensitive information was “impacted,” as the answers to those questions were redacted in the reporting form to the state.
Superintendent Edward A. Salina Jr. did not respond to multiple requests for comment. Neither did Deputy Superintendent Guy J. Le Vaillant, who reported the incident to the state.
Perry Fuchs, president of the district's teacher union, declined to comment.
It appears that Social Security numbers and dates of birth were not revealed, according to the report. The superintendent did not respond to an emailed question seeking clarification.
The incident occurred on June 14 and was discovered that day, according to the report, which is undated. Officials wrote in the form that the affected employees would be notified by letter on June 24.
The Plainedge district has a full-time staff of more than 850, according to state data. It is made up of three elementary schools, one middle school and one high school, totaling 2,843 students.
The virus has been eradicated and systems have been recovered and restored, according to the incident report.
District officials said they reported the breach to Nassau County police, the U.S. Department of Homeland Security, the Office of the New York State Attorney General, New York State Office of Information Technology Services, the Consumer Protection Division under New York State Department of State, and regional BOCES.
The district also said it has worked with vendors and agencies, including Homeland Security, to identify a root cause. And there was an investigation performed by a third party.
Remote learning during the COVID-19 pandemic made schools more reliant on technology, which opened them up more for cyberattacks.
Doug Levin, national director of the K12 Security Information Exchange, a Virginia-based national nonprofit that tracks cyber incidents on schools, said districts are “increasingly being targeted.”
“They are, by and large, what you might consider to be soft targets. They're not particularly well-protected given the value of what they manage,” Levin said. “We would certainly argue that schools need to treat cybersecurity risks … as seriously as they treat physical security risks on campus.”