Student Data Breach

Illuminate Education Data Breach Impacted At Least 24 Districts, 18 Charter Schools in NY; Investigation Launched

New York State Education Official Says 'At Least' 1 Million NY Students Impacted

• By Kristal Kuykendall
• 05/03/22

Editor's Note: This report has been updated with additional details: 565 Schools, Over 1 Million Students Impacted By Data Breach, NYSED Says; 2nd Colorado District Notifies Parents It, Too, Was Impacted.

At least 24 school districts and 18 charter schools in New York — totaling “at least” a million students in the state — were impacted by the breach of private student data that occurred during a January cyberattack on Illuminate Education’s systems, and the New York State Education Department has launched an investigation into the data breach, a NYSED official told THE Journal.

The breach compromised the student data of at least 24 school districts and 18 charter schools in New York, plus one Board of Cooperative Educational Services, according to the information received thus far by NYSED, Deputy Director of Communications J.P. O’Hare told THE Journal via email. Each of New York’s 37 BOCES includes numerous school districts serving dozens of cities and towns, allowing all but the state’s largest five districts to share educational services and realize cost savings in purchasing software and equipment.

The exact number of New York students impacted by the data breach was not readily available, O’Hare said: “According to the information that NYSED has obtained to date, at least 1 million New York State students have been impacted.” THE Journal filed a Freedom of Information request for the list of impacted schools and districts but has not yet received a response.

O’Hare’s email came in response to questions from THE Journal about a data breach notification letter template that NYSED posted on its website to guide New York schools in telling parents about their students’ private data being compromised during the Illuminate cyberattack.

The districts previously known to have been impacted by the Illuminate Education data breach included three: New York City schools, which said about 820,000 current and former students’ data was compromised; Coventry Public Schools in Connecticut, with enrollment of about 1,650; and Mesa County Valley School District 51 in Grand Junction, Colo., with enrollment of about 21,000.

Because districts and BOCES schools make decisions locally about which software to use in their schools, NYSED is not yet certain how many schools use any of Illuminate Education solutions — all of which were offline for a week or more during the January cyberattack, according to its service status site. The company’s website states that its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

“NYSED privacy office has undertaken an investigation of the Illuminate Education breach,” he told THE Journal. “As part of that investigation, NYSED’s privacy office has asked all school districts and charter schools to complete a survey providing information as to what Illuminate Education products, if any, were or are used by the school.”

The investigation began on April 1, O’Hare said.

What New York’s Law Says About Disclosure & Why It Matters

New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.” After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify (NYSED) within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery.”

For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

Illuminate Education told THE Journal in response to emailed questions about the NYC data breach that the students’ data was compromised during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were also impacted by the breach and now at risk of identity theft. Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in a March statement emailed to THE Journal. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

A data breach affecting 820,000 students would qualify as the largest single-school data breach in U.S. history, cybersecurity expert Doug Levin told THE Journal last month. Confirmation of more school data breaches related to the January cyberattack on Illuminate systems raises many serious questions that demand answers, said Levin, who is national director for the nation’s only nonprofit dedicated to K–12 school cybersecurity, called K12 Security Information Exchange.

“When did Illuminate Education learn of the incident? How did they respond? How is that multiple schools both inside and outside of New York were affected by this incident?” Levin asked. “Why did it take so long for Illuminate Education to inform affected parties? What is the total number of records exposed? Have all the affected individuals been notified? If not, when will they be?”

The data breach within Illuminate’s systems underscores the need for a “greater focus on school vendor security practices,” he added.

“Vendors such as Illuminate Education hold confidential records on millions of current and former students and staff,” Levin said. “Ensuring that K–12 vendors have a robust cybersecurity risk management program — including third-party audits and the national cybersecurity certifications — should be the bar for entry to the school market, not the exception. The veil of secrecy around this incident only serves to obscure the steps necessary to ensure this situation is avoided in the future.”

K12SIX’s annual State of K–12 Cybersecurity Year in Review report released in March emphasized a need for greater oversight and mandated public disclosure of all cyber incidents where threat actors gain access to the personal, private data of students or school employees.

K–12 schools are not required in most states to publicly disclose cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, the report said. (New York is one of a handful of exceptions.) Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, K12SIX’s report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

The danger of identity theft is far greater for a minor whose personal information was stolen than for an adult, Levin told THE Journal in March, after the Year in Review report was released.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused, and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin said.

“We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”

The NYSED Data Breach Notification Template

About a week ago, NYSED posted the following notice to schools on its website:

“Guidance from the New York State Education Department’s Privacy Office regarding the notification of former students is that each educational agency must do the best it can to notify all students, current and former, regarding the Illuminate Education breach.

“Therefore, each educational agency must notify all former students for whom it has any address or location information, including an email address. Additionally, it is advised that each educational agency maintain a list of the current students’ parent/guardians and former students it attempted to notify individually.

“Finally, a notice on the educational agency’s web page is appropriate because of the past years the breach includes.”

The post goes on to share a “sample web page notification” for schools to “use when notifying the parents/guardian of current students, eligible students, and in this case former students as well as potentially, teachers and principals, about the Illuminate Education breach.”

The notification template to alert parents and staff reads as follows:

“In accordance with State Education Law 2-d we are required to notify you when a third-party contractor that receives student data or teacher or principal data pursuant to a contract or written agreement with us had an unauthorized release of such data. As such, this notice is to inform you that Illuminate Education, an educational software company which products are used in our school district/charter school, has informed us that some databases containing potentially protected student information were subject to unauthorized access between December 28, 2021, and January 8, 2022.

“According to Illuminate Education the affected databases included names, demographic and academic information. The data accessed pertains to the following school years, (insert years).

“Affected current students and former students for which we have contact information, teachers and principals where applicable will receive a letter from us/Illuminate Education with more information on the information accessed. … If you are a former student and would like additional information, please contact us at (phone number) or be email at (email address), so that we may send you a letter with additional information on the data accessed.”