After massive NYC student data breach, here are steps you can take

April 2, 2022 Christina Veiga, Chalkbeat New York

Students work on their laptops at West Brooklyn Community High School. AP photos by Kathy Willens

Share this:

New York City officials recently acknowledged that the personal information of about 820,000 current and former students was compromised in a cybersecurity lapse.

If you’re a caregiver wondering what that means for your family, here’s a guide with steps you can take to better protect your identity and your child’s, according to privacy experts.

First, the background: The company affected was Illuminate Education, which owns Skedula and PupilPath — platforms that crashed this winter as part of the breach, causing headaches for schools that rely on them for everything from tracking attendance to grades.

A “malicious actor” was able to access information including student’s birthdates, whether they receive special education services, speak a language other than English at home, and even their assessment grades, according to education department officials.

The matter has been referred to law enforcement, and families will receive notification “in the coming weeks” about whether or how their child was affected, city officials said.

“It is a massive incident,” said Doug Levin, the national director of K-12 Security Information Exchange, a nonprofit that helps districts protect themselves from cybersecurity risks. “Certainly among the largest, if not the largest, experienced by a single school district.”

Parents will have to deal with the fallout “in perpetuity,” keeping a constant eye on their children’s financial and other identifying information, said Hannah Quay-de la Vallee, a senior technologist at the Center for Democracy & Technology, a nonpartisan nonprofit.

Here are tips from experts about what families should do now.

Check if your passwords have been compromised, and change any associated with your child’s school accounts.

After a breach like this one, Levin said it’s a good idea to change your children’s usernames and passwords. That goes for accounts they use both for school and outside of the classroom since, let’s face it, many of us reuse passwords.

You can check whether any of your accounts, or your children’s, have been affected by data breaches by going here. (Levin assures the site is legitimate, despite how it may look.)

He recommended using a password manager, many of which are free, to store unique passwords for each site you or your child use. Even storing passwords in your browser is preferable to reusing them, he said.

You should always use two-step authentication, if it’s offered, Levin added. That’s when you receive a text message or use an app to input a code, as a second layer of security when logging into your accounts.

Keep an eye on your child’s credit and your own.

The type of information that was breached can easily be used to commit financial crimes, experts said, such as opening up fraudulent credit cards or loans.

“You need credit monitoring,” said Pam Dixon, executive director of the World Privacy Forum, a public interest research group. “Parents are going to ask, ‘Why does my child need credit monitoring?’ The answer is that children are very high value targets when opening fraudulent credit, because no one’s checking up on it.”

You can check if your children have a credit report by contacting the three credit bureaus and asking them to manually run a check using your children’s social security numbers. You can also put a freeze on your children’s credit, which will make it harder for bad actors to open accounts in their name. The Federal Trade Commission has more information about how to take these steps here.

The education department said that Illuminate will pay for identity monitoring for the affected families. Dixon said that’s a positive sign since identity monitoring usually goes beyond just keeping tabs on credit. Parents should also be offered the service for themselves because criminals may be able to link information from children back to their caregivers, Dixon said.

Officials did not provide more details about who will be offered monitoring, and how extensive it will be. Not all services are equal, Dixon said.

Recent transfer student Kevin Camacho, 17, works on a Department of Education laptop in a classroom at West Brooklyn Community High School.

Families may want to consider paying for monitoring that also includes checking the dark web — corners of the internet that can’t be found through search engines and are often used to broker ill-gotten data. Some services also remove any information that’s found there. These services cost around $50 a year, Dixon said.

Beware of scam calls and emails.

Hackers may use the bits of information they have to pry more data out of you. Be suspicious of callers who seem to have details about you or your child, but are asking for more.

“Parents should probably be on the lookout for getting calls that say, ‘We’re missing critical information to get your child enrolled in school. We need you to call us back ASAP and give us their social security number,’” Quay-de la Vallee gave as an example.

If something like this happens, Quay-de la Vallee offered some tips. Ask the person for details like what school or department they’re calling from, and ask for contact information. Hang up, and search online for the entity they claim to be calling from, to see if the information they’ve given you matches.

A classic tactic to watch out for, she said, is when the caller gives you a hard deadline, to get you to quickly hand over information.

Your children might also be direct targets for these scams, so it’s important to warn them to be on the lookout, Quay-de la Vallee said. Bad actors may try to contact your child through social media or their own phone numbers, claiming to be an old classmate, looking for information to get back in touch, for example.

Another thing to look out for: phishing emails. These are messages that contain a malicious link that may infect your computer. They might send back your personal information to hackers, or ask you to share other sensitive information.

Dixon said it’s a good idea to change your child’s school email address, if you can. Education department officials did not answer questions about whether they would facilitate this.

Also, experts said not to hesitate to contact your school to confirm the kind of information they need, or to ask how it’s used.

“If parents are concerned about the security of their kids’ data and the data that’s being collected by their school districts, I think it is important that they speak up,” Levin said.

Stay vigilant because the effects could be felt for a long time.

You’ll want to continue to take all of these protective steps for the foreseeable future. Experts said it’s not uncommon for data to show up for sale or in other reaches of the dark web for years after a breach.

Dixon said students become especially vulnerable later in high school, when their information might be used to secure student loans, for example.

The information could also be added to databases that collect information over time, piecing together more and more details. Combined, it can become more valuable for committing fraud, or sold off based on specific characteristics – like teenage girls living in New York City.

“Being part of these data breaches just means you have to be vigilant about it, going forward and in perpetuity, unfortunately,” Quay-de la Vallee said.

Christina Veiga is a reporter covering New York City schools with a focus on school diversity and preschool. Chalkbeat is a nonprofit news site covering educational change in public schools.