– On December 28, 2021, Illuminate Education was hacked. The intrusion, which lasted until January 8, 2022, compromised the private data of nearly one million students in New York State (and maybe more)
– The breach affected at least 24 school districts and 18 charter schools, along with one Board of Cooperative Educational Services (BOCES)
– The company initially described the hack as an “attempted security incident” but then shut down both Skedula and PupilPath for more than a week to address the issue
– Possibly the largest school data breach in U.S. history
– What Is Illuminate Education?
– A California-based edtech company (founded in 2009) that runs a variety of school information platforms, including Skedula (aka IO Classroom), PupilPath, and eduCLIMBER
– From its website:
– Our solution brings together holistic data and collaborative instructional tools, and puts them in the hands of educators.
– As a result, they can visualize each student’s progress, determine the right instructional or intervention strategy, and take the best next action, moment-by-moment.
– More than 17 million students and 5,200 districts and schools across all 50 states rely on Illuminate every day to move the student performance needle.
– It does not have a NY state- or city-wide contract but it is an approved vendor, which means that it was “rigorously reviewed” by the IT Department for the state Department of Education
– Schools use the platforms for a variety of purposes:
– tracking grades and attendance
– communicating with parents
– contact tracing for COVID–19
– The company has earned about $5 million per year from NY schools
– What Data Was Compromised?
– A database containing a variety of personally identifying information, including:
– home languages
– student ID numbers of current and former public school students going back to the 2016–17 school year
– identities of special ed students
– class and teacher schedules
– identities of those receiving free lunch
– Post-Incident Responses
– Illuminate waited two months to formally notify the city
– Avoid bad publicity and/or litigation
– Negotiating with hackers
– Avoid compromising investigation
– Illuminate claimed that all student data is encrypted but the breach revealed that was not true
– New York state law requires that student information be encrypted both “at rest or in motion”
– The hack is still being investigated by the Dept. of Education, the New York Police Department, the FBI, and NYS Attorney General Leticia James
– A school district in Connecticut also reported a breach, as did at least two in Colorado
– New York State Education Department drafted a template for a letter/web page for parents
– Notification of “unauthorized release of such data”
– Notification of number of years of data affected (blank in template)
– A promise that more information will be provided
– What Are the Risks?
– Profound impact on the ability of schools to function
– Identity Theft using dark web tools and resources
– Credit damage to minors, who typically don’t monitor their credit
– What Can Schools Do?
– Make sure that their own house is in order
– Updated security patches
– Collaboration with other schools/districts
– Ongoing review and utilization of state and federal resources
– Consider bringing in outside security consultants
– Review what student data is collected and whether doing so is mission-critical
– Don’t just collect data because it is possible to do so
– Make local backups of any data that is being transmitted to third-party vendors
– Thoroughly vet third-party vendors who collect and store student data
– Have they had security or data breach issues in the past?
– Advocate for stronger regulation of data collection firms at both state and federal levels
– What Can Parents Do?
– Don’t ignore notices of potential data breaches
– Change any passwords used by you or your children to interact with the school or the vendor platform(s)
– Put a credit lock on child social security numbers
– Take advantage of offers for complimentary credit monitoring for themselves and their children
– Be wary of possible fraud – scam calls, phishing emails, etc.
– Double-check by phone with school personnel about any online request for information
– Talk to your children about possible misuse of their information
– The price of digital data is eternal vigilance
– [n.d.] Illuminate Education
– [n.d.] New York State Education Department Template for Breach Notification Letter
– [n.d.] How to Protect Your Child From Identity Theft
– #2022–05–05 565 Schools, Over 1M Students in NY Impacted by Illuminate Data Breach, NYSED Says; 2nd Colorado District Notifies Parents
– #2022–05–05 List of Schools in New York Impacted by the Illuminate Education Data Breach
– #2022–05–03 Illuminate Education Data Breach Impacted At Least 24 Districts, 18 Charter Schools in NY; Investigation Launched
– #2022–04–21 Illuminate Education breach that affected NYC schools spreads to Connecticut
– #2022–04–21 Another School District Says Student Data Breached Within an Illuminate Education Product
– #2022–03–29 After massive NYC student data breach, here are steps you can take to protect your family
– #2022–03–28 Data Breach Alert: Illuminate Education
– #2022–03–25 Data of 820,000 NYC students compromised in hack of online grading system: Education Dept.
– #2022–03–21 Data breach exposes 820K New York City students’ information
– #2022–01–15 NYC schools crippled by week-long data service systems outage
– #2022–01–14 Ransomware feared in weeklong outage of online grading and attendance system used by NYC schools
– #2022–01–11 Online grade and attendance system used by many NYC schools down for days
School Data Breach
Question someone would ask where this would be the answer
My school was hacked
Blog Post (<1000 words)
“My student’s school was hacked!” While there are certainly worse things that could happen at your child’s school, this idea of being hacked can and should cause trepidation among parents.
Here are three things parents and schools can do when they have been hacked
The price of digital data is eternal vigilance @cybertraps