New York City Public Schools Face Critical Gaps in Student Data Security, Audit Finds
A five-year audit by New York State Comptroller Thomas DiNapoli has revealed significant vulnerabilities in how New York City Public Schools (NYCPS) manage and protect student data. The report, released on Monday, highlights systemic weaknesses in data security policies, third-party vendor oversight, and compliance with state requirements raising concerns as the district expands its use of AI and educational technology.
The audit, covering 2020 to 2025, found that NYCPS serving nearly 900,000 students lacks a comprehensive inventory of the software and third-party platforms used across its schools. This decentralized approach has led to multiple data breaches, including a 2021–22 incident involving Illuminate, a grading platform that exposed the personal information of 820,000 current and former students. In 2024, hackers accessed student names and birthdates through PowerSchool, a school records program, affecting over 3,000 students and 317 staff. The Education Department only learned of the breach in January 2025, underscoring delays in detection and response.
Between January 2023 and February 2025, auditors identified 141 data security incidents involving breaches of student and staff information, either through third-party vendors or internal systems. The report also found that 218 of 528 surveyed schools used at least 70 different applications beyond the two central systems, reflecting uncoordinated technology adoption. Despite a vendor vetting process, the Education Department lacks visibility into which schools use which platforms and whether they contain sensitive data.
Compliance failures further compound the risks. Nearly 25% of NYCPS employees about 43,000 staff did not complete mandatory annual data privacy training, and the district has no system to prevent untrained personnel from accessing sensitive information. Reporting delays were also prevalent: nearly half of data incidents were reported to the state Education Department past the 10-day deadline, and families were notified late in 11% of cases.
While the audit did not find direct violations of the federal Family Educational Rights and Privacy Act (FERPA), it warned that the identified gaps could lead to noncompliance. NYCPS acknowledged the findings, citing recent improvements such as a new student privacy webpage and a data privacy working group. However, the city disputed claims of a lack of centralized oversight, arguing that schools follow a standardized vendor approval process.
Critics, including education advocates and Panel for Educational Policy members, have called for a moratorium on AI adoption, citing the audit as evidence of insufficient safeguards. The comptroller’s office plans to conduct a follow-up audit in one year to assess progress.
Illuminate Education, Inc. cybersecurity rating report: https://www.rankiteo.com/company/illuminate-education
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "ILLPOW1777933701",
"linkid": "illuminate-education, powerschool-group-llc",
"type": "Breach",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '820,000 current and former '
'students (Illuminate breach), '
'3,000 students and 317 staff '
'(PowerSchool breach)',
'industry': 'Education',
'location': 'New York City, USA',
'name': 'New York City Public Schools (NYCPS)',
'size': '900,000 students, ~170,000 staff',
'type': 'Public School District'}],
'attack_vector': 'Third-party vendor compromise',
'customer_advisories': 'Late notifications to families in 11% of data breach '
'cases.',
'data_breach': {'number_of_records_exposed': '820,000 (Illuminate), 3,000+ '
'(PowerSchool)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Student names',
'Birthdates',
'Personal information']},
'date_detected': '2025-01',
'description': 'A five-year audit by New York State Comptroller Thomas '
'DiNapoli revealed significant vulnerabilities in how New York '
'City Public Schools (NYCPS) manage and protect student data, '
'including systemic weaknesses in data security policies, '
'third-party vendor oversight, and compliance with state '
'requirements.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Student and staff personal information',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Potential FERPA noncompliance',
'operational_impact': 'Delayed incident detection and response, '
'compliance failures',
'systems_affected': 'Illuminate (grading platform), PowerSchool '
'(school records program), 70+ additional '
'applications'},
'investigation_status': 'Ongoing (follow-up audit planned in one year)',
'lessons_learned': 'Need for centralized oversight of third-party vendors, '
'improved compliance with data privacy training, timely '
'incident reporting, and better coordination of technology '
'adoption across schools.',
'post_incident_analysis': {'corrective_actions': ['New student privacy '
'webpage',
'Data privacy working group',
'Standardized vendor '
'approval process'],
'root_causes': ['Lack of centralized oversight',
'Inadequate vendor vetting',
'Uncoordinated technology adoption',
'Compliance failures (e.g., '
'untrained staff accessing '
'sensitive data)',
'Delayed incident reporting']},
'recommendations': 'Implement a comprehensive inventory of software and '
'third-party platforms, enforce mandatory data privacy '
'training, improve incident detection and response times, '
'and consider a moratorium on AI adoption until safeguards '
'are in place.',
'references': [{'source': 'New York State Comptroller Thomas DiNapoli Audit '
'Report'}],
'regulatory_compliance': {'regulations_violated': ['State data privacy '
'requirements',
'Potential FERPA '
'violations'],
'regulatory_notifications': 'Delayed reporting to '
'state Education '
'Department (nearly 50% '
'past 10-day deadline)'},
'response': {'communication_strategy': 'Late notifications to families in 11% '
'of cases',
'remediation_measures': 'New student privacy webpage, data '
'privacy working group'},
'stakeholder_advisories': 'Critics and education advocates calling for a '
'moratorium on AI adoption due to insufficient '
'safeguards.',
'title': 'New York City Public Schools Face Critical Gaps in Student Data '
'Security, Audit Finds',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of centralized oversight, inadequate vendor '
'vetting, uncoordinated technology adoption'}