State Audit Flags Gaps in NYC School Tech Oversight as Ransomware Looms Larger

Recurrent lapses in data oversight across New York City’s vast public school system risk undermining not only student privacy but also public confidence in digital education.

When the computers at a South Brooklyn school flickered with error messages in late April, few suspected the blip marked the edge of a far wider malaise. Within days, students and teachers alike were locked out of Canvas, the ubiquitous online education platform, due to a ransomware assault disrupting scores of school districts and universities from Manhattan to Michigan. Yet as screens froze and parents scrambled for updates, a more pedestrian revelation emerged: New York City’s own education officials had again failed to track, or even fully grasp, which technologies its 1,600 schools rely on—and when breaches strike, delays and confusion follow.

Such was the principal finding of a stern audit released by the New York State Comptroller’s Office last month. Comptroller Thomas DiNapoli’s team pored over school data-handling practices from March 2020 to September 2025, scrutinizing a district that serves roughly 900,000 students—America’s largest public education system. Auditors found that the system does not maintain a centralized inventory of the digital applications being used—a seemingly banal oversight, but one with non-trivial consequences. Without this basic knowledge, city officials cannot reliably assess risks, deploy patches, or warn families in a timely fashion when student records are exposed.

Those consequences have been neither abstract nor rare. Of the 141 data breaches reviewed between January 2023 and February 2025, nearly half were reported to the state late—sometimes over a year late. When malware was detected in a shared school computer lab and, separately, a globalized breach exposed at least seven New York schools, prompt and cogent notification was elusive. Parents only discovered missing or compromised data after troubling delays; the city scrambled to reconstruct which children, teachers, or community members might be affected.

More worrying still is the human element. About a quarter of the Department of Education’s 161,000 employees did not complete the required annual data privacy training in 2024. Policies for data security and privacy are not always published, nor are they complete; auditors flagged several blind spots in current guidelines and found notable weaknesses in technical controls. “When you don’t know what digital tools are in use, you can’t scan for red flags or ensure secure deployment,” said Tina Kim, the deputy comptroller for state government accountability. “Inventories aren’t just bureaucratic niceties—they’re essential to risk management.”

For New Yorkers, these persistent lapses mean students’ sensitive information remains at chronic risk—names, grades, health records, and even biometric data can be exposed, sold, or manipulated before parents or teachers are any the wiser. In a school system that aspires to close opportunity gaps, a loss of confidence in digital safety can easily morph into wider distrust of education authorities themselves. Pity the families who must not only navigate remote learning when systems crash, but wonder whether a child’s Social Security number is now for sale.

The city, for its part, has not been idle. Chancellor Kamar Samuels reported efforts to investigate recent incidents, attributing some breaches to the recent rash of ransomware attacks. But such gestures ring somewhat hollow when foundational inventory and transparency practices remain lacking, years into the digital transformation spurred by the pandemic. New York’s ambition to be the global capital of digitally served multicultural education sits uneasily with such administrative amnesia.

Economically, digital disarray bodes poorly not only for students. Public trust in remote educational platforms sits at a low ebb; families may reconsider participation in innovative programs, and private partners will price in the city’s data risk. Costs—both monetary and reputational—accrue after every delayed disclosure or bungled notification. Opportunistic cybercriminals, for their part, perceive large, decentralized education systems with lax controls as easy pickings.

NYC’s digital woes in national context

If the city’s performance bodes ill, it is by no means singular. The recent Canvas outage affected heavyweights like Columbia, Rutgers, and Princeton, highlighting how even higher education titans, with their palatial IT budgets, struggle to secure sprawling digital environments. Nationwide, ransomware gangs ply their trade with impunity, abetted by the complexity and weak coordination endemic to American education. In 2025 alone, education sector breaches outpaced those in retail and healthcare, according to the federal Cybersecurity and Infrastructure Security Agency.

Yet some districts and cities have fared better—not through technology wizardry, but by insisting, sometimes tediously, on basics. Los Angeles Unified, for instance, responded to a 2022 ransomware attack by centralizing its software inventory and tightening notification timelines to within 72 hours of each breach, reportedly containing damage in subsequent incidents. London’s schools, meanwhile, have adopted standardized cybersecurity frameworks, pairing mandatory staff retraining with plain-English updates to families. Such reforms are not glamorous, but the data suggest they are effective.

We reckon New York’s public schools possess the scale, budget, and talent to emulate these best practices. That they continue to struggle with basic data housekeeping is as much a matter of managerial culture as technical challenge; the city’s bureaucratic sprawl perpetually lags aspiration. Mandating complete, up-to-date app inventories and posting simple, timely breach notifications would not cure all ills, but would certainly dull hackers’ appetite and rekindle public trust.

As digital learning becomes inseparable from modern schooling, the city’s educators and administrators face a fork: persist with the pell-mell accumulation of apps and platforms, or impose the discipline needed to protect their charges. If the latter, the road will be methodical rather than meteoric—more memos than miracles. Still, for the nearly million children learning, collaborating, and storing their lives online, such unglamorous progress cannot come soon enough.

■