Illuminate Education Data Breach

Two More Districts, in California & Washington, Add 22K to Number of Students Impacted by Illuminate Breach

• By Kristal Kuykendall
• 07/05/22

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach. Find more details about the Illuminate data breach — such as why New York is investigating the ed tech company and why cybersecurity experts say transparency should be mandated — in this previous report.

Two more school districts have filed state-mandated notification letterswith their respective state Attorney Generals revealing that their students — a combined total of at least 22,000 — were among the millions across the country impacted by the Illuminate Education breach of private student data.

Waterford Unified School Districtin California and Renton School District in Washington have joined the hundreds of schools across six states that have notified parents of the breach.

Waterford USD, like other California districts known to have been impacted, posted a form letter, dated July 1, from Illuminate on the California Attorney General’s data breach notification website. The letter does not specify the number of students impacted; Waterford USD had about 1,700 students enrolled in the most recent school year, according to its website.

Renton School District’s notification letter was filed on June 21 by attorneys at Lewis Brisbois law firm on behalf of the district and posted to the Washington Attorney General data breach notification website; it states that the district first learned it was impacted by the breach on May 4 and on May 31 district IT officials confirmed that “some personal information” belonging to 20,509 Washington residents was stolen during the Illuminate breach. Renton’s enrollment is about 15,500, according to its website, indicating that current as well as former students were impacted.

The Renton School District data that was breached included “student names, student identification numbers, academic and behavior information, enrollment information, accommodation information, and student demographic information,” according to the notification letter.

The Illuminate Education data breach occurred during a January 2022 cyberattack targeting Illuminate Education’s systems and is known to have impacted the nation’s two largest school districts, New York City Department of Education with about 820,000 students currently enrolled and Los Angeles Unified with 430,000 students, along with hundreds of other schools across New York state, 24 other districts in California, nine districts in Colorado, four in Connecticut, one in Oklahoma, and one in Washington state.

Most of the notifications shared by districts included in the breach have used a template, or portions of it, signed by Illuminate Education. It states that Social Security numbers were not part of the private information that was stolen during the cyberattack. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioralrecords, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

Many of the districts’ notifications have said that current as well as former students from as many as 10 years ago had their private data stolen in the breach; New York State Department of Education officials have estimated that “at least 2 million” statewide were impacted, leading to THE Journal’s estimated impact of at least 3 million, when counting those currently enrolled at the impacted districts in other states.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of data breaches. Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools, but the company declined to specify the total number of U.S. students impacted, in multiple email communications with THE Journal.

California requires a notice of a data breach to be posted on the attorney general’s website, but the notices do not include any details such as what data was stolen, nor the number of students affected; the same is true in Washington state.

Oklahoma City Public Schools on May 13 notified parents that its 34,000 students were also impacted by the Illuminate Education data breach; thus far, it is the only district in Oklahoma known to have been impacted. Oklahoma has no statewide public disclosure requirements, so it’s left up to local districts to decide whether and how to notify parents in the event of a breach of student data, Oklahoma Department of Education officials told THE Journal last month.

In Colorado, where nine districts have publicly disclosed that the Illuminate breach included the data of their combined 140,000 students, there is no legal mandate for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.