New York state schools experienced a significant surge in cybersecurity issues in 2025, with data incident reports jumping 72% over the previous year. Official data reveals that while human error remains the leading cause of these breaches, external hacking and third-party contractor vulnerabilities also contributed to the record-high numbers.
Education officials have documented a sharp rise in compromised student data and cybersecurity threats across the state throughout 2025. The annual report released by the state Education Department’s chief privacy officer shows that total reported incidents climbed from 384 in 2024 to 662 in 2025. This trend represents a massive increase compared to just a few years ago, noting that only 71 incidents were reported statewide in 2021. Long Island specifically saw an uptick in activity, with 44 reported incidents in 2025 compared to 35 during the prior year.
The primary driver behind these security lapses appears to be human error, which was cited in 341 of the state's reported cases. These situations typically involve staff or administrators accidentally sharing private or sensitive information with the wrong individuals or groups. Because a single incident can stem from multiple factors, the state tracks several categories of origin to better understand how data is being exposed within the school systems.
Beyond internal mistakes, third-party contractors represent a significant vulnerability for educational institutions. Roughly one-third of the incidents, totaling 230 cases, involved unauthorized access or disclosure of information by outside vendors. This highlights the ongoing challenge schools face in securing data that is managed or stored by external partners who provide various digital services and platforms to the districts.
External threats and deliberate attacks also remain a constant concern for state officials. Malicious hacking and external breaches accounted for 221 of the incidents recorded in the 2025 report. While less frequent than accidental disclosures, these intentional intrusions often pose a high risk to the integrity of student and staff records and require more complex technical interventions to resolve and prevent.
Specific methods used by bad actors include phishing, which was identified in 32 different reports throughout the year. Additionally, the state found that two incidents were the result of more severe ransomware and malware attacks. As schools continue to integrate more technology into their daily operations, the variety of causes behind these data incidents suggests a need for multifaceted security strategies to protect the privacy of the school community.
Source: https://www.newsday.com/long-island/education/school-data-incidents-nys-long-island-trw4ysk4