School cyber incidents on Long Island Reported cases rose sharply in 2023 Newsday
pSteve Morgan founder of the Northportbased Cybersecurity Ventures a provider of data and analytics for the industry said K12 schools nationally and globally are facing relentless cyberattacks Long Island is reflective of that Credit Rick KopsteinppLong Island schools saw a big increase in the number of reported computer hacks and other cyber incidents in 2023 compared with the prior year and human error continued to be a major cause of exposing sensitive student information such as special education disabilities and disciplinary problems records showppIsland schools reported 35 cyber incidents last year a bump of 52 from 23 the year before according to state Education Department records obtained by Newsday via a Freedom of Information Law request The numbers showed a continuing yearoveryear trend of increasing incidents as the 2022 figure represented twice as many as in 2021ppMany of these cyber troubles were selfinflicted Human error on the part of school workers caused about half of them a total of 16 despite many districts implementing cybersecurity training for workers to spot suspicious emails and secure recordsppThe incidents disrupt school instruction and operations even as they impact the lives of students their families and teachers When a students personal information is wrongly made public especially regarding special education students the student could be subject to bullying discrimination and threats experts sayppIsland school districts responded to these cyber incidents by deleting certain information providing workers with additional training and notifying parents of the affected students records showedppBay Shore Superintendent Steven Maloney said the district responded quickly to the problem thereppThe incident in question stemmed from a data processing error and was addressed appropriately Maloney said Reporting and notification took place in accordance with New York State Education Law The potential for future similar incidents was neutralized by a change in procedureppThe Data Incident Reports highlight the often precarious state of privacy regarding student and staff information in the digital world The reports show the great majority of these cyber incidents are not major disruptions that cripple a districts computer systems for months but isolated events that most often affect say dozens of studentsppAt the same time schools remain a prime target for cybercriminals who steal information and subject schools to ransomware attacks In such an attack a hacker infiltrates a schools information networks disabling the system and demanding money to unlock itppThis month Hempstead police and Nassau County district attorneys officials said they are investigating a theft of up to 35 million from the Hempstead school district Hackers intercepted the 35 million wire payment from the district to Evergreen Charter School but police and banking officials were able to stop all but 300000 of the payment from being obtained by the hackers school officials saidppHempstead school board President Lamont Johnson has not said how or when the hack occurredppIt is an ongoing investigation and there is nothing else we are able to say at this time without compromising the investigation The appropriate law enforcement officials are working on the case he said in a statement last Monday emailed by a representative Johnson has said the theft will not affect district finances and that the district was insuredppThe cyber incidents in Long Island schools mirror the national pictureppK12 schools nationally and globally are facing relentless cyberattacks Long Island is reflective of that said Steve Morgan founder of the Northportbased Cybersecurity Ventures a provider of data and analytics for the industryppThe cyber incidents from Long Islands 124 public school districts track with increases statewide as New York had a record number of such events in 2022 many due to human error The state had 140 reported incidents that year nearly doubling the 71 reports seen in the prior year according to the state Education Departments 2022 Annual Report on Data Privacy and Security which is the most recent data availableppAcross the country there were more than 1330 publicly disclosed cyber incidents involving K12 schools from 2016 to 2022 according to the K12 Security Information eXchange a Virginia nonprofit that tracks cyberattacks on schools ppThese mistakes intrusions and thefts can be costly losses to school districts range from 50000 to 1 million per school data breach as they often require replacing computer hardware and improving cybersecurity to prevent future events according to the Government Accountability OfficeppTraining can make a big difference experts sayppTraining employees tops the list of what can be done to improve security because many cyber incidents are due to human error Morgan said The key is ongoing training not just onetime programsppBut training only goes so far as cybercriminals have become increasingly adept at disguising their malicious emails as innocuous said Doug Levin national director of K12 Security Information eXchangeppYoure never going to train your way out of this Levin said He said software companies should build in safeguards that dont allow workers to inadvertently release information that should remain private It shouldnt be able to happenppSometimes a single wrong click on a computer can mean troubleppIn September the Jericho transportation director inadvertently hit Reply All in response to an email from a parent thereby making the parents email available to an entire parent group records showed The email contained the parents name and address as well as the grade level of a student and the grade level and address of the students sibling records showppThe director of transportation contacted my office to determine why a parents emails were going out to an entire parent group said Patrick Fogarty the district technology director in the report The district notified the parent who had sent the email and the state Education Department he saidppMany school districts have been improving their defenses against cyberattacks installing software protections employing tech specialists and establishing protocols in the event of an eventppWere more prepared in every way Fogarty said in an email to Newsday noting the district has 247 monitoring of its networks mandatory training for staff and a new email system that allows for oneclick encryption of sensitive data Encryption converts information or data into a code which can only be read by the person receiving the emailppFogarty noted that the district has implemented email protections that include an automatic notification when a person inputs personally identifiable information and encourages the user to either remove the information or enable encryptionppWe cant expect people to be perfect so we have a robust system in place for breaches and inadvertent disclosures Fogarty said Planning for a world without human error is a fools errandppThe Uniondale school district was struck by a ransomware attack last April when a tech employee working during spring break noticed a suspicious file in the computer system Quick thinking and preparation helped limit the damage and down time on the system the records saidppThe Uniondale IT crew working with outside cybersecurity experts shut down the computer network and put in place a new one and all desktop computers were cleared of data and provided new operating systems records showedppAny data stolen or compromised was limited to that which was on the districts internal servers Superintendent Monique DarrisawAkil said in an April message to the school community The hacker was able to access student and personnel information such as email addresses home addresses and phone numbers she saidppThe stolen information was posted on a dark web website as evidence that the cybercrime group had breached data security protocols she said She noted that much of the data is stored on cloudbased systems such as the districts email system and financial and student management and food service systems which were not compromised records showedppWe do not believe any sensitive student faculty or district information was compromised DarrisawAkil said in the messageppSchool districts dont have to be the target of a cyberattack in order for students and staff to be vulnerable to one Schools are increasingly using contractors and vendors to provide student services and officials often dont have a good way to vet a companys cybersecurity Levin saidppWhen one vendor has an issue it can affect so many people he saidppNew York Therapy Placement Services a Farmingdalebased company that provides services for specialneeds students was the victim of a cyberattack in November The breach included sensitive information of several Island districts and personal information records said Those districts included Baldwin Freeport HewlettWoodmere West Babylon Massapequa and PatchogueMedfordppThe breach of the company occurred around 1130 am Nov 28 when a worker received an email that appeared to originate from a school district but was actually a phishing attack according to the records In a phishing attack the cybercriminal masquerades as a reputable source and lures the targeted person to open an email which allows the thief into the systemppThe worker entered her credentials to retrieve the email and within 24 hours the phisher began sending emails using the employees email account the reports said The hacker accessed an employees file that contained the identities addresses and dates of birth for 41 children in 28 school districts who were awaiting placements with therapists records showedppUpon discovering the breach the placement company secured the employees email account initiated an investigation and shared appropriate information with our school district partners and the New York State Education Department said John Johnson the company CEO in a statementppJohnson did not respond to a question on how many of the affected districts were on Long IslandppLooking ahead Levin of K12 Security Information eXchange said many school officials remain tightlipped about cyber incidents refraining from reporting them to the state and in some instances taking months to alert victims Newsday tried to reach 10 districts that had reports for comment and only two Jericho and Bay Shore responded The public relations representatives for some districts said officials were unavailable due to the winter breakppSchool officials often fear Levin said that discussing specifics of their networks could expose weaknesses in the systemppIn terms of new trends Levin said hes seeing more classaction lawsuits by victims of cyberattacks against those entities that handle their datappMoreover cybercriminals also are using the advances being made in artificial intelligence to better disguise their ransomware and phishing attempts so people will open their emails and enter their passwords and credentialsppTheir tactics continue to evolve Levin said emphasizing the importance of cybersecurity in schools as a way to lessen the impact on people involved and maintain the trust of the communityppWith Arielle Martinez Nicholas Spangler and Joie TyrrellppLong Island schools saw a big increase in the number of reported computer hacks and other cyber incidents in 2023 compared with the prior year and human error continued to be a major cause of exposing sensitive student information such as special education disabilities and disciplinary problems records showppIsland schools reported 35 cyber incidents last year a bump of 52 from 23 the year before according to state Education Department records obtained by Newsday via a Freedom of Information Law request The numbers showed a continuing yearoveryear trend of increasing incidents as the 2022 figure represented twice as many as in 2021ppMany of these cyber troubles were selfinflicted Human error on the part of school workers caused about half of them a total of 16 despite many districts implementing cybersecurity training for workers to spot suspicious emails and secure recordsppThe incidents disrupt school instruction and operations even as they impact the lives of students their families and teachers When a students personal information is wrongly made public especially regarding special education students the student could be subject to bullying discrimination and threats experts sayppIsland school districts responded to these cyber incidents by deleting certain information providing workers with additional training and notifying parents of the affected students records showedppGet the latest updates on how education is changing in your districtppppBy clicking Sign up you agree to our privacy policyppBay Shore Superintendent Steven Maloney said the district responded quickly to the problem thereppThe incident in question stemmed from a data processing error and was addressed appropriately Maloney said Reporting and notification took place in accordance with New York State Education Law The potential for future similar incidents was neutralized by a change in procedureppThe Data Incident Reports highlight the often precarious state of privacy regarding student and staff information in the digital world The reports show the great majority of these cyber incidents are not major disruptions that cripple a districts computer systems for months but isolated events that most often affect say dozens of studentsppAt the same time schools remain a prime target for cybercriminals who steal information and subject schools to ransomware attacks In such an attack a hacker infiltrates a schools information networks disabling the system and demanding money to unlock itppThis month Hempstead police and Nassau County district attorneys officials said they are investigating a theft of up to 35 million from the Hempstead school district Hackers intercepted the 35 million wire payment from the district to Evergreen Charter School but police and banking officials were able to stop all but 300000 of the payment from being obtained by the hackers school officials saidppHempstead school board President Lamont Johnson has not said how or when the hack occurredppIt is an ongoing investigation and there is nothing else we are able to say at this time without compromising the investigation The appropriate law enforcement officials are working on the case he said in a statement last Monday emailed by a representative Johnson has said the theft will not affect district finances and that the district was insuredppThe cyber incidents in Long Island schools mirror the national pictureppK12 schools nationally and globally are facing relentless cyberattacks Long Island is reflective of that said Steve Morgan founder of the Northportbased Cybersecurity Ventures a provider of data and analytics for the industryppThe cyber incidents from Long Islands 124 public school districts track with increases statewide as New York had a record number of such events in 2022 many due to human error The state had 140 reported incidents that year nearly doubling the 71 reports seen in the prior year according to the state Education Departments 2022 Annual Report on Data Privacy and Security which is the most recent data availableppAcross the country there were more than 1330 publicly disclosed cyber incidents involving K12 schools from 2016 to 2022 according to the K12 Security Information eXchange a Virginia nonprofit that tracks cyberattacks on schools ppThese mistakes intrusions and thefts can be costly losses to school districts range from 50000 to 1 million per school data breach as they often require replacing computer hardware and improving cybersecurity to prevent future events according to the Government Accountability OfficeppTraining can make a big difference experts sayppTraining employees tops the list of what can be done to improve security because many cyber incidents are due to human error Morgan said The key is ongoing training not just onetime programsppSometimes just a single wrong click can mean trouble Credit Dawn McCormickppBut training only goes so far as cybercriminals have become increasingly adept at disguising their malicious emails as innocuous said Doug Levin national director of K12 Security Information eXchangeppYoure never going to train your way out of this Levin said He said software companies should build in safeguards that dont allow workers to inadvertently release information that should remain private It shouldnt be able to happenppSometimes a single wrong click on a computer can mean troubleppIn September the Jericho transportation director inadvertently hit Reply All in response to an email from a parent thereby making the parents email available to an entire parent group records showed The email contained the parents name and address as well as the grade level of a student and the grade level and address of the students sibling records showppThe director of transportation contacted my office to determine why a parents emails were going out to an entire parent group said Patrick Fogarty the district technology director in the report The district notified the parent who had sent the email and the state Education Department he saidppMany school districts have been improving their defenses against cyberattacks installing software protections employing tech specialists and establishing protocols in the event of an eventppWere more prepared in every way Fogarty said in an email to Newsday noting the district has 247 monitoring of its networks mandatory training for staff and a new email system that allows for oneclick encryption of sensitive data Encryption converts information or data into a code which can only be read by the person receiving the emailppFogarty noted that the district has implemented email protections that include an automatic notification when a person inputs personally identifiable information and encourages the user to either remove the information or enable encryptionppWe cant expect people to be perfect so we have a robust system in place for breaches and inadvertent disclosures Fogarty said Planning for a world without human error is a fools errandppQuick thinking and preparation helped limit damage to the Uniondale system according to records Above Uniondale High School Credit NewsdaySteve PfostppThe Uniondale school district was struck by a ransomware attack last April when a tech employee working during spring break noticed a suspicious file in the computer system Quick thinking and preparation helped limit the damage and down time on the system the records saidppThe Uniondale IT crew working with outside cybersecurity experts shut down the computer network and put in place a new one and all desktop computers were cleared of data and provided new operating systems records showedppAny data stolen or compromised was limited to that which was on the districts internal servers Superintendent Monique DarrisawAkil said in an April message to the school community The hacker was able to access student and personnel information such as email addresses home addresses and phone numbers she saidppThe stolen information was posted on a dark web website as evidence that the cybercrime group had breached data security protocols she said She noted that much of the data is stored on cloudbased systems such as the districts email system and financial and student management and food service systems which were not compromised records showedppWe do not believe any sensitive student faculty or district information was compromised DarrisawAkil said in the messageppSchool districts dont have to be the target of a cyberattack in order for students and staff to be vulnerable to one Schools are increasingly using contractors and vendors to provide student services and officials often dont have a good way to vet a companys cybersecurity Levin saidppWhen one vendor has an issue it can affect so many people he saidppNew York Therapy Placement Services a Farmingdalebased company that provides services for specialneeds students was the victim of a cyberattack in November The breach included sensitive information of several Island districts and personal information records said Those districts included Baldwin Freeport HewlettWoodmere West Babylon Massapequa and PatchogueMedfordppThe breach of the company occurred around 1130 am Nov 28 when a worker received an email that appeared to originate from a school district but was actually a phishing attack according to the records In a phishing attack the cybercriminal masquerades as a reputable source and lures the targeted person to open an email which allows the thief into the systemppThe worker entered her credentials to retrieve the email and within 24 hours the phisher began sending emails using the employees email account the reports said The hacker accessed an employees file that contained the identities addresses and dates of birth for 41 children in 28 school districts who were awaiting placements with therapists records showedppUpon discovering the breach the placement company secured the employees email account initiated an investigation and shared appropriate information with our school district partners and the New York State Education Department said John Johnson the company CEO in a statementppJohnson did not respond to a question on how many of the affected districts were on Long IslandppLooking ahead Levin of K12 Security Information eXchange said many school officials remain tightlipped about cyber incidents refraining from reporting them to the state and in some instances taking months to alert victims Newsday tried to reach 10 districts that had reports for comment and only two Jericho and Bay Shore responded The public relations representatives for some districts said officials were unavailable due to the winter breakppSchool officials often fear Levin said that discussing specifics of their networks could expose weaknesses in the systemppIn terms of new trends Levin said hes seeing more classaction lawsuits by victims of cyberattacks against those entities that handle their datappMoreover cybercriminals also are using the advances being made in artificial intelligence to better disguise their ransomware and phishing attempts so people will open their emails and enter their passwords and credentialsppTheir tactics continue to evolve Levin said emphasizing the importance of cybersecurity in schools as a way to lessen the impact on people involved and maintain the trust of the communityppWith Arielle Martinez Nicholas Spangler and Joie Tyrrellpp
Craig Schneider is a Long Island native and Stony Brook University alumnus He joined Newsday as a general assignment reporter in January 2018 after 20 years at the Atlanta JournalConstitution
ppUnlimited Digital AccessOnly 25for 5 monthsppPrivacy Policy Terms of service Subscription terms Your ad choices Cookie Settings California Privacy Rights About Us Contact Newsday Reprints permissions Advertise with Newsday HelpppCopyright 2024 Newsday All rights reservedp
Craig Schneider is a Long Island native and Stony Brook University alumnus He joined Newsday as a general assignment reporter in January 2018 after 20 years at the Atlanta JournalConstitution
ppUnlimited Digital AccessOnly 25for 5 monthsppPrivacy Policy Terms of service Subscription terms Your ad choices Cookie Settings California Privacy Rights About Us Contact Newsday Reprints permissions Advertise with Newsday HelpppCopyright 2024 Newsday All rights reservedp
