Student Data Breaches

Another School District Says Student Data Breached Within an Illuminate Education Product

• By Kristal Kuykendall
• 04/21/22

Another school district has announced that student data stored on Illuminate Education software has been breached and said Illuminate is is mailing a letter to parents offering “complimentary” identity monitoring service for a year.

Coventry Public Schools in Connecticut posted a notice on its website this week, stating the Illuminate software it uses, eduClimber, had experienced a data breach. The notice does not specify when the breach occurred, but states that the district was “recently notified” of the data breach.

Coventry is the second district in the past month to acknowledge a data breach within school systems managed by Illuminate Education; three weeks ago, New York City public school administrators learned that a data breach had occurred during a January cyberattack on Illuminate’s systems — and that personal information of about 820,000 current and former students had been compromised.

A data breach affecting 820,000 students would make it the largest single-school data breach in U.S. history, cybersecurity expert Doug Levin of K12 Security Information Exchange told THE Journal last month.

The number of students whose personal data was compromised during the cyberattack could actually be much larger.

When Illuminate’s systems were hit in January, all of its school software products were knocked off-line for a week or more, according to its service status site; the company’s website states that its school solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

Illuminate Education told THE Journal last month via email that a data breach impacting NYC schools occurred during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were impacted. Illuminate did not respond to emails and phone calls seeking more information.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in an emailed statement. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

Coventry Public Schools’ notice to parents, dated April 18, said “we are writing to inform you that one of our vendors experienced a data breach of an application which houses student data for Coventry Public Schools. Illuminate Education is an education company that provides applications and technology support to school districts, including eduCLIMBER which is used in our district. We were recently notified of an incident that may affect the security of some of your child's information. According to Illuminate Education, affected databases included names along with demographic and academic related information for some current and former students. We have been told there is no evidence that any information was subject to actual or attempted misuse.

“Coventry Public Schools is working in partnership with Illuminate Education to help support affected families with this incident. Affected families will be receiving a mailing from Illuminate Education offering those children complimentary access to 12 months of identity monitoring services through IDX. The letters will contain information on how to enroll if you elect to do so, along with additional information regarding data privacy.”

Coventry is a fraction of the size of the New York City school district, with about 1,650 students enrolled, according to the district website.

Yet, confirmation of another school data breach related to a cyber incident targeting Illuminate systems — and from a district using a different Illuminate product than the one that was the source of NYC’s breach — “suggests that maybe the Illuminate Education breach is bigger than New York City,” Levin said.