New York City’s public schools system struggles to track which technology its schools use, report breaches on time and notify families when student data is compromised, the state comptroller’s office found in a recent report.
Comptroller Thomas DiNapoli released the audit late last month, about a week before the start of a widespread ransomware breach that ultimately left school districts and colleges around the country without access to the online education platform Canvas. New York City schools, Columbia University, Rutgers University and Princeton University were all among the institutions facing outages this week.
In a statement on Friday, Schools Chancellor Kamar Samuels said the department had recently learned of two data privacy issues. One was “globalized,” affecting up to seven schools, an apparent reference to the Canvas breach. The other, he said, was localized to one campus. Bloomberg cited a memo saying malware had been found on computers at one school community’s shared lab.
DiNapoli’s audit doesn’t address those incidents. It was based on a longer review of the period from March 2020 through September 2025. It found the city’s public schools system — which serves roughly 900,000 students across 1,600 schools — does not maintain a comprehensive list of the various applications each school uses and, as a result, does not have a “clear understanding of its environment, the type of information being stored in these applications, and the various risks associated with the data.”
Auditors reviewed 141 data breaches between January 2023 and February 2025 and found the department delayed reporting nearly half of those breaches to the state, in some cases by more than a year.
“One of the things that we noted in the report is a lack of a centralized inventory,” said Tina Kim, the deputy comptroller for state government accountability. “So, the district is not aware of what specific applications all of the schools are actually using.”
“And if you think about it, that creates a delay because you don’t have a centralized inventory,” Kim continued. “And the reason why inventories are also important is because it allows you to basically do a risk assessment and know if you’re using certain applications that are higher risk, you have to put in certain controls.”
They also found that school district policy didn’t address some areas related to data security and privacy, or publish related materials on the school system’s website. Auditors also said they found “weaknesses in technical controls” used to safeguard student data. And they said a quarter of the department’s roughly 161,000 employees did not complete required annual data privacy training in 2024.
“Historically, when you got a phishing email, there were red flags, there were misspellings,” Kim said. “But artificial intelligence can take away those red flags, and with new technology, you can actually do phishing emails at scale.”
“That’s why training is so important, because artificial intelligence lowers the barrier,” Kim continued. “It basically increases the number of people who have access to these tools and makes it a lot easier to actually do.”
New York City Public Schools didn’t immediately reply to a message from Gothamist seeking comment on Saturday. In a written response to the audit, however, Deputy Chancellor of School Operations Kevin Moran said protecting student data “is of the utmost importance” to the department.
Moran also pointed to a new student privacy webpage and a working group of parents, advocates and school leaders convened in the past year. And while Moran pushed back on some of the survey’s methodology, the department accepted most of the comptroller's recommendations, including developing a way to account for all student information systems and drafting a written data classification policy.
The comptroller's office said it would follow up in a year to check on the district’s progress in implementing its recommendations.
