NYS school data incidents rose 72% in 2025, with 44 reported on Long Island

Reports of compromised student data and cybersecurity in schools surged statewide in 2025, according to education officials.

Statewide, data incident reports rose 72%, from 384 in 2024 to 662 in 2025, an annual report issued by the state Education Department's chief privacy officer found. On Long Island, schools reported 44 data incidents in 2025, a jump from 35 the year prior, according to figures provided by the state.

In 2021, 71 incidents were reported statewide.

"The landscape over the last five years has increased in terms of the cyberthreat activity that K through 12 schools are facing," said TJ Sayers, senior director of threat intelligence at the Center for Internet Security, a nonprofit based in upstate Greenbush. "They are low-hanging fruit in some cases and are easy to be attacked."

Data incidents involve any event where confidential information is improperly exposed or shared, either maliciously or accidentally. They can range from a clerical error to data breaches and phishing scams; most, but not all, involve information stored digitally.

Experts said the uptick in such incidents underscored how vulnerable schools are and the limitations they face while managing an array of digital systems. Budgetary constraints could prevent schools from hiring dedicated cybersecurity staff, deploying the most current safeguards and investing in the latest technology. Schools also rely on third-party vendors they have little oversight over, experts said.

Douglas Levin, national director of the K12 Security Information eXchange, a Virginia nonprofit that tracks cyber incidents at schools, said districts handle a patchwork of technology that can be more complicated than that of private businesses. For example, schools may have a range of systems online, from their building security and cameras to their food service payment programs.

But, in contrast to the private sector, schools do not necessarily have the funding to prioritize cybersecurity, industry specialists said.

“School leaders have to balance how much money they are going to devote to cybersecurity versus some other priority,” Levin said.

Despite making improvements in recent years in both identifying incidents and incorporating more robust security measures, he said, “The [schools] still struggle with these issues. And we see school districts, every week across this country, responding to incidents that they face.”

'Our biggest fear'

In 2025, the state reported 341 data incidents were due to human error — when someone accidentally shares private information to an unintended person or group. About one-third, or 230, involved "unauthorized access or disclosure by a third-party contractor." External breaches or hacking accounted for 221 incidents, according to the state report.

Phishing was cited in 32 reports. Two were blamed on ransomware and malware attacks, the report found. (Individual data incidents could have more than one cause.)

A breakdown for Long Island was not available.

“I think our biggest risk, and also our biggest fear, is data breaches," said James Richroath, executive director of technology for the Patchogue-Medford school district. "Is student information or staff information getting in the hands of people that it shouldn't be in? That's something that we take very seriously, and we are concerned about."

Those concerns hit home when the information system at PowerSchool suffered what is considered to be the largest student data breach nationwide. It impacted at least nine districts and an educational agency on Long Island in late 2024, and continued to affect some schools the following year. Most of the 221 data breaches in 2025 were related to PowerSchool, according to the state report.

Another big data breach occurred in 2022 when the technology company Illuminate Education was hacked, leaking the personal data of 1.7 million students in New York, including some on Long Island. New York Attorney General Letitia James in November reached a $5.1 million settlement with the company, which was found to lack basic safeguards and must now "take steps to enhance and strengthen their cybersecurity practices," according to a news release.

Leaked data could have yearslong security repercussions for families who have to monitor their credit, according to experts. PowerSchool offered two years of free credit monitoring and identification protection for students and educators who were affected.

Examples of phishing in 2025 included a fake request for transcripts and a scam email from an internal email address that included a form. Some students completed the form with their name, phone number, email and bank information, according to the state report. In another case, administrators were sent spoofed emails from one of their law firms, the report said.

Such scams can cost districts millions of dollars. Earlier this month, the Nassau County District Attorney’s Office announced a California woman had been indicted on grand larceny charges after a 2024 email purporting to be from the finance director of a K-12 charter school requested the Hempstead school district send payment to a new bank account. The district transferred $3.5 million into the account, which allegedly belonged to the woman. A district spokesman said approximately $3.3 million was later recovered.

Richroath said phishing has been an issue in his district.

"We're a big district….Especially during the holiday season, we'll see an increase in the number of phishing attempts for free gift cards that are fake and stuff like that," he said.

Compliance concerns

Another hurdle schools face is making sure applications and third-party vendors they contract with comply with state, federal and local policies intended to keep personal data safe.

Schools that work with third-party vendors to handle personal student information are required to include protections like a data security and privacy plan, a parents' bill of rights and minimum technical safeguards, according to a state Education Department spokeswoman.

Richroath said even though the district follows the safety and security policies required by the state, overseeing third-party vendors places an unnecessary strain on them.

He said vendors must sign annual contracts regarding the policies. But even with these provisions, most schools have to trust third-party companies are adhering to all the proper procedures, experts said. 

“It's just a lot on the district's plate... we should be worried about that, but it puts a lot to make sure that we're getting these contracts signed annually,” Richroath said. He added, “Even though we do all the ed law paperwork, are they following that and are they reporting it to us in a timely fashion?”

He said it would be helpful for the state to compile a list of vetted applications and vendors that districts can use. Additional funding, whether through federal or local grants, would also help strengthen their measures, he said.

Sandeep Dhillon, director of district technology services at Nassau BOCES, said his organization runs a managed security operations center that partners with industry providers and has dedicated cybersecurity staff. He said roughly two dozen districts have signed up for the program.

"We have analysts dedicated to specific schools, and we ramp up staff as the demand goes higher," he said.

Nassau Board of Cooperative Educational Services uses automation and artificial intelligence to cut down on costs, he said. The  price per district depends on the number of students and staff but he said the program is more affordable than many other third-party options.

He said the security team has seen an uptick in phishing as well as "spear phishing," when someone attempts to obtain sensitive information through email by impersonating a trusted source. 

"The threats are now more geared toward the entire ecosystem in schools. Often what is missing is having visibility into platforms, applications and have a strong vetting process which requires the additional staff and budget," he said.

Dhillon and other experts said AI is increasingly being used to create more sophisticated schemes. Sayers, at the Center for Internet Security, said AI is playing a bigger role in creating codes used in ransomware or malware attempts. In particular, he said he is seeing more large language models being utilized.

“We saw some interesting signs that malware authors are leveraging AI to help compile the code,” and spread malware through networks, he said. This generates scams that appear more realistic and could be committed even by people with little software knowledge. 

“We very rarely see any typographical mistakes in phishing lures anymore," he said. Fake websites intended to scrape information now appear to be a “mirror image of a legitimate website," he said.

“As AI takes hold, the barrier for entry has never been lower for malicious actors to enter this space, so we're anticipating K-12s to remain a leading target into the future,” Sayers said.

Newsday's Michael R. Ebert contributed to this report.