Parents and students who have reached age 18 have the right to be notified when their identifiable information has been the subject of unauthorized acquisition, access, use, or disclosure. Listed below are incidents of note. Impacted parents and students age 18 and older have been notified of these incidents. An incident of note is when the DOE relied on a vendor to assist with parental and student notifications. You can find out additional information about these events by clicking on the down arrow next to each incident.
Update on MOVEit Data Incident (2023)
What happened?
On June 1, 2023, the DOE was notified of a technical vulnerability in MOVEit software. DOE used MOVEit to transfer files internally and to and from vendors. There were no warnings about this vulnerability until MOVEit announced it. The DOE fully patched the software within hours of learning about the vulnerability.
An internal investigation determined that approximately 19,000 unique DOE files were copied on May 28, 2023 as a result of the vulnerability. The types of files that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status. Our investigation also confirmed that the files were copied, but not deleted or edited. No other parts of the DOE network were accessed.
The DOE took the MOVEit server offline. It remains offline out of an abundance of caution.
Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the magnitude and scope of the incident. As soon as the e-discovery firm provided us with a preliminary assessment on June 23, 2023, we provided information to the public and emailed both staff and families.
The DOE is one of numerous government agencies and private companies around the globe to be impacted by this incident. The FBI is investigating the broader MOVEit breach, and the DOE is cooperating with the investigation.
What is MOVEit? What did DOE use MOVEit for?
MOVEit is software the DOE used to transfer files internally and to and from vendors.
Is DOE still using MOVEit?
No. We took the DOE server hosting the MOVEit software offline. It remains offline out of an abundance of caution.
Is there anything DOE could have done to prevent this data security incident?
No. This incident was the result of what is called a “zero-day” vulnerability in the MOVEit software. A zero-day vulnerability is when no one, not even the software developer, knows about the flaw. The DOE had no warnings about this vulnerability until MOVEit announced it.
The DOE complies with all privacy laws, including New York State Education Law 2-d, and has strong data security processes and systems in place. These include encrypting data in transit and at rest, using multi-factor authentication, regularly conducting internal testing, and implementing enhancements to ensure our applications and infrastructure remain protected. In addition, all DOE employees take data privacy training on an annual basis. Unfortunately, these privacy and data security measures could not have prevented the MOVEit incident.
Visit the DOE’s Data Privacy and Security Policies page for more information about how the DOE protects information.
Why weren’t people made aware of the incident sooner?
Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the scope of the incident. As soon as the e-discovery firm provided us with a preliminary assessment on June 23, 2023, we provided information to the public and emailed both staff and families.
Once we determined exactly who was impacted by the incident and which of their information was exposed, we began preparing notifications to the individuals whose confidential information was compromised. Affected students were mailed notification letters on August 7, 2023. The overwhelming majority of affected employees and third-party evaluators were mailed notification letters on August 15, 2023. A small group of affected employees were mailed notification letters on September 15, 2023. Individuals who receive the notification are being offered access to credit/identity protection services.
What type of information was accessed?
Approximately 19,000 unique documents were accessed. The types of documents that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status.
A summary of the types of sensitive data impacted is below:
Two or more of the following types of information were disclosed about students: name, student ID (OSIS) number, date of birth, and special education information.
For a small percentage of students, their parent’s names, home addresses, and/or phone number were also disclosed.
For DOE employees whose sensitive information was impacted, all had their name disclosed, and for the vast majority, employee ID number and/or information about leave status was also disclosed.
At least one of the following types of sensitive information was disclosed about third-party evaluators: date of birth, home address, and/or US tax identification number.
Social Security numbers were accessed for approximately 9,700 employees and third-party evaluators. No students’ Social Security numbers were accessed.
The type of data impacted varied from person to person. Each notification letter states what specific information was affected.
How many people were affected by this incident?
Approximately 40,000 students, and approximately 170,000 DOE staff and third-party evaluators, had sensitive information exposed.
I was affected by this incident. What can I do to protect my information?
If you receive a letter from the DOE about this incident through our vendor, IDX, you have an opportunity to enroll in two years of free credit/identity protection services. The DOE will cover the cost, but you must enroll and activate the services.
To enroll in the credit/identity protection services, call 1-800-939-4170 or 1-888-429-9444, scan the QR code at the top of your letter, or visit https://app.idx.us/account-creation/protect. It only takes five minutes to enroll. You will be asked to provide the Enrollment Code found at the top of your letter.
IDX representatives are available Monday through Friday, from 9 am - 9 pm Eastern Time. Over-the-phone interpretation services are available.
The deadline to enroll in these services has been extended until December 15, 2023.
What is the deadline for registering for the pre-paid package of identity protection services?
The deadline to enroll in credit/identity protection services was November 7, 2023, but has been extended until December 15, 2023.
Has law enforcement been notified?
Yes. The DOE is one of many government agencies and private companies around the globe to be impacted by the MOVEit incident. The FBI is investigating the MOVEit breach , and the DOE is cooperating with the investigation.
Community Letter on MOVEit Data Incident (2023)
Dear Families and Staff:
We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers.
This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.
We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).
The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.
The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point.
We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.
Thank you,
Emma Vadehra
Chief Operating Officer
New York City Department of Education
PETS (2023)
What happened?
On the evening of February 7, 2023, the DOE deployed an update to the Personnel Eligibility Tracking System (PETS). A temporary bug in the system allowed vendors to view on screen and download information about their own employees as well as other vendors’ employees when conducting searches; search results were not limited to the employees of the vendor conducting the search. DOE was alerted to the bug on February 8, 2023 at 10:30am. The system was promptly taken offline and the issue was addressed.
What is PETS?
PETS has personal information for current and former vendor employees who provide or have provided services to students.
The PETS application allows DOE vendors to manage their roster of employees who provide services to students. It also enables the DOE to track which vendors’ employees are eligible to work in schools and with students.
When did this incident happen?
Between February 7, 2023 at 9pm until February 8, 2023 at 10:30am.
How many people were affected?
Approximately 80,000 current or former employees of DOE vendors who provide or have provided services to students.
How will I know if I was affected?
Affected employees received notice about this incident in the mail during the week of June 26. The type of information in your PETS record that was exposed is specified in the letter you received. The letter also specifies whether your information was viewed on screen or exported.
I was affected by this incident. What can I do to protect my information?
For employees who received a letter from the DOE about this incident, the DOE is offering an opportunity to enroll in two years of free credit monitoring and identity theft monitoring services through our vendor, IDX. The DOE will cover the cost, but you must enroll and activate the services.
To enroll in credit monitoring and identity theft monitoring services, call 1-800-939-4170 or visit https://app.idx.us/account-creation/protect. You will be asked to provide the Enrollment Code found on the top of your letter. IDX representatives are available Monday through Friday, from 9 am - 9 pm Eastern Time. The deadline to enroll in these services is September 28, 2023.
What is the deadline for registering for the pre-paid package of identity protection services?
The deadline to enroll in identity and credit monitoring services is September 28, 2023.
What is the New York City Department of Education doing to prevent this kind of exposure from happening again?
Upon learning of the bug, the DOE promptly took PETS offline and addressed the issue. The DOE also contacted the eight vendor users who accessed information about other vendors’ employees during the relevant time period, directing them to delete and destroy all copies of the information, physical and/or electronic. All eight vendor users confirmed they deleted and destroyed the records.
The DOE is committed to strengthening our testing and review processes for all application updates, including future updates to PETS. The DOE is also considering enhancing PETS to restrict the personal information that a vendor can view and export.
Who should I contact if I have questions?
For more information, please email SIRT@schools.nyc.gov.
Illuminate Education (2022)
What happened?
Illuminate notified the New York City Department of Education of the following about the incident:
- On January 8, 2022, Illuminate became aware of suspicious activity in certain of its applications.
- Illuminate immediately took steps to secure the affected applications and launched an investigation with external forensic specialists to determine the nature and scope of the activity. Illuminate also contacted the FBI.
- On March 24, 2022, Illuminate confirmed through its investigation that between December 28, 2021, and January 8, 2022, certain of Illuminate’s databases that contained potentially protected student information were subject to unauthorized access.
- Illuminate notified the New York City Department of Education (DOE) on March 25, 2022, of its investigation’s findings.
- The scope of the incident is limited to Illuminate applications, and no DOE computer systems were affected.
- Aside from the initial incident, DOE is not aware of any further misuse or attempted misuse of the affected information.
When did this incident happen?
Between December 28, 2021, and January 8, 2022.
What personal information was affected?
Illuminate informed the New York City Department of Education of the following:
- No financial account information or Social Security numbers were affected in this incident.
- The affected databases contained the following information about all affected DOE students: first and last name, DOE student identification number (also known as OSIS number), and school.
- The affected databases contained at least two of the following information items for all affected DOE students: date of birth, gender, grade level, race or ethnicity, home language, and course information (including teacher name and/or subject).
- In addition, the affected databases contained the following types of information for some students: academic testing information, whether the student is an English Language Learner, whether the student receives special education services, and (for a very small number of students) whether the student is economically disadvantaged.
Was free and reduced price school lunch data affected?
Illuminate has informed the New York City Department of Education that no free and reduced price lunch data of DOE students was affected by the incident.
Were student IEPs affected?
Illuminate has informed the New York City Department of Education that no student IEPs, nor any content from student IEPS, was affected by the incident. However, for some students, whether a student receives special education services (in other words, yes or no), was affected.
What specific information of mine/my child’s was affected?
If you received a notice that your family was affected and wish to request more specific information, please email Illuminatequestions@schools.nyc.gov and include your name, phone number, email address, student’s name, student’s date of birth, and the student’s ID number. To protect students’ privacy, the New York City Department of Education must first verify your identity before sharing specific student data. Someone from the DOE will contact you within a week.
How many years of personal information was affected?
Illuminate has informed the New York City Department of Education that the oldest data affected is from the 2016-17 school year. However, the years for which personal information was affected varies by school and by student.
Was the information encrypted?
Illuminate has told the New York City Department of Education that the affected databases were not encrypted at the time of the incident.
How many students were affected?
Approximately 800,000 current and former New York City Department of Education students were affected.
How many schools were affected?
Approximately 700 New York City Department of Education schools that currently or previously used Illuminate’s applications were affected. However, not all schools that use Illuminate’s applications were affected by this incident.
Why did I get multiple letters?
This could happen if you have more than one child whose information was affected. It could also happen if your child(ren) attended different schools in different districts over one or more school years. It could also happen if your child(ren) attended a New York City Department of Education school as well as a charter school over one or more school years.
Why did I get only one letter when I have one or more children?
It is possible that only one of your children had information that was affected.
Who is Illuminate Education?
Illuminate is a company that provides educational applications and technology support to schools. Some DOE schools choose to use these products and services. Schools use Illuminate’s software to track student attendance, assignments and grades, and to communicate with families, administer tests and exams, and help with other administrative work. In order to provide its services, Illuminate creates, maintains, and controls its own software, and stores information about students, including information about you and/or your child.
Have the police or local authorities been notified?
The New York City Department of Education reported to the New York City Police Department. It also notified the New York State Office of the Attorney General and the New York State Education Department. The DOE is coordinating with the New York City Cyber Command, the New York City Office of Information Privacy, and the New York City Law Department.
Has legal action been taken against Illuminate?
The NYC Department of Education is not aware of any litigation or claims at this time related to this matter. The DOE is reviewing its contractual and legal rights associated with the incident.
Will the DOE continue to use Illuminate?
After extensive investigation and deliberation, and based on our deep commitment to protecting the privacy of our families and students, we directed all schools to cease using any Illuminate products and services after June 30, 2022.
Why didn't you tell affected individuals about the loss of the data sooner?
On March 25, 2022, Illuminate informed the New York City Department of Education that its investigation determined that certain student information was contained in the affected databases. Upon receiving confirmation from Illuminate, the DOE had to gather relevant information from Illuminate on which students were affected, locate their contact information in the DOE’s own databases, and make the appropriate decisions to line up the assistance services that were offered to affected individuals.
What is the New York City Department of Education doing to prevent this kind of loss from happening again?
The New York City Department of Education sincerely regrets that student information was involved in this incident. It is committed to protecting students’ information and is taking significant steps to keep this from happening again. First, the DOE verified that no DOE computer systems were affected. Then it began its own investigation and gathered more information to understand how the incident happened and whether it can continue to use Illuminate’s products and services. After extensive investigation and deliberation, and based on our deep commitment to protecting the privacy of our families and students, we directed all schools to cease using any Illuminate products and services after June 30, 2022. The DOE also is reviewing security procedures taken by other vendors that provide similar services to DOE schools, families, and students.
What is the deadline for registering for the pre-paid package of identity protection services?
The deadline to enroll was August 19, 2022.
If there are any updates regarding this incident, how will I be notified?
The New York City Department of Education will reach out to affected families if it has new information to communicate to them about this incident.
Has the information been misused?
Aside from the initial incident, the New York City Department of Education is not aware of any further misuse or attempted misuse of the affected information.