Full Report
Lorena Mongelli reports: Reports of compromised student data and cybersecurity in schools surged statewide in 2025, according to education officials. Statewide, data incident reports rose 72%, from 384 in 2024 to 662 in 2025, an annual report issued by the state Education Department’s chief privacy officer found. On Long Island, schools reported 44 data incidents in 2025, a jump from 35 the year prior, according to... Source
Analysis Summary
# Incident Report: Surge in NYS School Data Security Incidents (2025)
## Executive Summary
In 2025, New York State educational institutions experienced a 72% increase in reported data incidents, rising from 384 in 2024 to 662. The surge was primarily driven by human error and third-party contractor breaches, though external hacking and phishing remained significant threats. These incidents compromised student data across the state, with Long Island alone seeing a rise to 44 incidents.
## Incident Details
- **Discovery Date:** Various (Reported in 2025 annual cycle)
- **Incident Date:** Calendar Year 2025
- **Affected Organization:** New York State Schools (Multiple Districts)
- **Sector:** Education
- **Geography:** New York State, USA (Specifically highlighting Long Island)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025
- **Vector:** Human Error, Third-Party Supply Chain, and Phishing
- **Details:** The most frequent point of entry was unintentional (human error), followed by breaches at third-party contractors and active phishing campaigns.
### Lateral Movement
- **Details:** While specific lateral movement techniques were not detailed in the summary report, approximately 221 incidents involved external hacking where such movement typically occurs.
### Data Exfiltration/Impact
- **Details:** Compromise of protected student data and private information.
### Detection & Response
- **How it was discovered:** Internal auditing and mandatory reporting to the State Education Department’s Chief Privacy Officer.
- **Response actions taken:** State-level monitoring and annual reporting to identify trends; individual district-level remediation (not detailed in source).
## Attack Methodology
- **Initial Access:** Human error (341 cases), Third-party contractor access (230 cases), Hacking/External breaches (221 cases), Phishing (32 cases).
- **Persistence:** Not specified in aggregate report.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Phishing (32 reported instances).
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Compromise of student records and private data.
- **Exfiltration:** Accidental disclosure and unauthorized third-party access.
- **Impact:** Ransomware and Malware (2 reported cases).
## Impact Assessment
- **Financial:** Not disclosed in report, though remediation costs for 662 incidents are expected to be substantial.
- **Data Breach:** High volume; thousands of student records affected statewide.
- **Operational:** Disruption caused by ransomware in at least 2 instances.
- **Reputational:** Increased public scrutiny of school cybersecurity posture and third-party vendor reliability.
## Indicators of Compromise
- **Network indicators:** None listed in the aggregate report.
- **File indicators:** Malware/Ransomware presence cited in 2 cases.
- **Behavioral indicators:** Unauthorized disclosure of data to unintended recipients (Human Error).
## Response Actions
- **Containment measures:** Reporting to the State Education Department.
- **Eradication steps:** Not specified in summary.
- **Recovery actions:** Identifying causes (human error vs. technical) to inform future training.
## Lessons Learned
- **Human Factor:** Accidental internal sharing is the leading cause of data incidents (over 50% of reports), indicating a need for better staff training.
- **Third-Party Risk:** One-third of incidents involved contractors, highlighting significant vulnerabilities in the educational supply chain.
- **Trend Awareness:** Incidents have ballooned from 71 in 2021 to 662 in 2025, suggesting a rapidly deteriorating threat landscape for schools.
## Recommendations
- **Staff Training:** Implement robust data handling and privacy awareness programs to reduce "human error" incidents.
- **Vendor Management:** Perform rigorous security audits of third-party contractors who handle student data.
- **Phishing Defense:** Deploy advanced email filtering and conduct regular phishing simulations.
- **Incident Response Planning:** Prepare specific playbooks for ransomware to mitigate operational downtime.