After a Massive New York Student Data Breach, Here Are the Steps to Take

New York City officials recently acknowledged that the personal information of approximately 820,000 current and former college students was compromised in a cybersecurity breach.

If you’re a caregiver wondering what this means for your family, here’s a guide with steps you can take to better protect your identity and that of your child, according to privacy experts.

First, the background: the company involved was Illuminate Education, which owns Skedula and PupilPath — platforms that crashed this winter as part of the breach, causing headaches for schools that depend on them for everything from attendance tracking to grades.

A “malicious actor” was able to access information such as students’ dates of birth, whether they receive special education services, speak a language other than English at home and even their assessment scores, according to Education Department officials.

The case has been referred to law enforcement and families will receive notification “in the coming weeks” about whether or how their child was affected, city officials said.

“This is a massive incident,” said Doug Levin, national director of K-12 Security Information Exchange, a nonprofit that helps districts protect against cybersecurity risks. “Certainly among the greatest, if not the greatest, experienced by a single school district.”

Parents will have to deal with the fallout “in perpetuity,” keeping a constant eye on their children’s financial and other identifying information, said Hannah Quay-de la Vallée, senior technologist at the Center for Democracy & Technology, a non-profit, non-partisan organization.

Here’s expert advice on what families should do now.

Check to see if your passwords have been compromised and change those associated with your child’s school accounts.

After a breach like this, Levin said it’s a good idea to change your kids’ usernames and passwords. This goes for accounts they use both for school and outside of the classroom since, let’s face it, a lot of us reuse passwords.

You can check if any of your accounts, or those of your children, have been affected by data breaches by going here. (Levin assures that the site is legitimate, despite its appearance.)

He recommended using a password manager, many of which are free, to store unique passwords for each site you or your child uses. Even storing passwords in your browser is better than reusing them, he said.

You should always use two-step authentication, if offered, Levin added. This is when you receive a text message or use an app to enter a code, as a second layer of security when logging into your accounts.

Keep an eye on your child’s credit and yours.

According to experts, the type of information that has been breached can easily be used to commit financial crimes, such as opening fraudulent credit cards or loans.

“You need credit monitoring,” said Pam Dixon, executive director of the World Privacy Forum, a public interest research group. “Parents are going to ask, ‘Why does my child need credit monitoring?’ The answer is that children are very high value targets when opening fraudulent credit because no one checks it.

You can check to see if your children have a credit report by contacting all three credit bureaus and asking them to manually run a check using your children’s social security numbers. You can also freeze your children’s credit, which will make it harder for bad actors to open accounts in their name. The Federal Trade Commission has more information on how to take these steps here.

The Department of Education said Illuminate will pay for identity monitoring of affected families. Dixon said that’s a positive sign because identity monitoring typically goes beyond just credit checking. Parents should also be offered the service for themselves, as criminals may be able to link children’s information to their caregivers, Dixon said.

Officials did not provide further details about who will be offered surveillance and how extensive. Not all services are equal, Dixon said.

Families may want to consider paying for monitoring that also includes checking the dark web — corners of the internet that can’t be found via search engines and are often used to broker ill-gotten data. Some services also delete all information on them. These services cost about $50 a year, Dixon said.

Beware of fraudulent calls and emails.

Hackers can use the information they have to extract more data from you. Beware of callers who seem to have details about you or your child, but ask for more.

“Parents should probably be on the lookout for calls that say, ‘We are running out of essential information to enroll your child in school. We need you to call us back as soon as possible and give us their social security number,” Quay-de la Vallée gave as an example.

If something like this happens, Quay-de-la-Vallée has offered some advice. Ask the person for details like the school or department they are calling from and ask for their contact information. Hang up and search online for the entity they claim to be calling from, to see if the information they gave you matches.

A classic tactic to watch out for, she said, is when the caller gives you a strict deadline, to get you to quickly convey information.

Your children could also be direct targets for these scams, so it’s important to warn them to be on the lookout, Quay-de la Vallée said. Bad actors may try to contact your child via social media or their own phone numbers, pretending to be an old classmate, seeking information to reconnect, for example.

Another thing to watch out for are phishing emails. These are messages that contain a malicious link that can infect your computer. They may forward your personal information to hackers or ask you to share other sensitive information.

Dixon said it’s a good idea to change your child’s school email address, if you can. Education Ministry officials did not respond to questions about whether they would facilitate this.

Additionally, experts said don’t be shy about contacting your school to confirm what kind of information they need or to ask how it’s being used.

“If parents are concerned about the security of their children’s data and the data collected by their school districts, I think it’s important for them to speak up,” Levin said.

Stay vigilant because the effects could be felt for a long time.

You will want to continue taking all of these protective measures for the foreseeable future. Experts said it’s not uncommon for data to appear for sale or in other parts of the dark web for years after a breach.

Dixon said students become particularly vulnerable later in high school, when their information could be used to secure student loans, for example.

The information could also be added to databases that collect information over time, gathering more and more detail. Combined, they can become more valuable for committing fraud or being sold based on specific characteristics, such as teenage girls living in New York.

“Being part of these data breaches just means you have to be vigilant about it, in the future and in perpetuity, unfortunately,” Quay-de la Vallée said.

Christina Veiga is a journalist and covers New York City schools with a focus on school diversity and preschool. Chalkbeat is a nonprofit news site covering educational changes in public schools.