EdisonLearning Breach in 2023 Subject of Class-Action Inquiry as Official Notification is Posted

Attorneys working with ClassAction.org are “investigating whether a class-action lawsuit can be filed” against EdisonLearning on behalf of individuals whose name and Social Security number were among files stolen during a ransomware attack in early March 2023.

The cyberattack targeting public school management and virtual learning provider EdisonLearning became publicly known last April when the Royal ransomware gang posted on its dark web data leak site that it had stolen 20GB of the company’s data “including personal information of employees and students” and threatened to post the data “early next week.” 

“Looks like knowledge providers missed some lessons of cyber security [sic]. Recently we gave one to EdisonLearning and they have failed,” read the April 26, 2023 post by the Royal gang.

A screenshot from April 26, 2023 shows the dark web leak site of The Royal Ransomware gang and its threat to release data it claimed to have stolen from EdisonLearning

THE Journal first reported on the breach on May 2, 2023.

Last week, EdisonLearning’s data breach notification was posted on the Vermont Attorney General’s website, dated Feb. 21, 2024. The notice states: “On or about March 17, 2023, EdisonLearning became aware of suspicious activity within our systems. We immediately took steps to secure our systems and launched an investigation into the nature and scope of the activity with the assistance of third-party specialists. Through our investigation we determined that an unauthorized actor accessed certain computer systems in our network between March 7, 2023, and March 17, 2023, and downloaded certain files stored in those locations.”

The types of breached information is redacted from the notice, but according to ClassAction.org, the stolen information “may include the names and Social Security numbers of individuals associated with the company.” 

“To date, we are unaware of the actual misuse of this information as a result of the event,” EdisonLearning’s notice states.

At the time of the initial reporting of the ransomware group’s threat, EdisonLearning confirmed a cyber incident had occurred and said it could not divulge anything else. 

It is not clear whether the stolen data was ever posted on Royal’s dark web leak site because the gang's website has since been removed; in November 2023, CISA and the FBI said the Royal gang had hacked more than 350 known victims and demanded ransoms exceeding $275 million, adding that the group might be “rebranding” under the name Blacksuit.

EdisonLearning Director of Communications Michael Serpe confirmed in an email to THE Journal today that the impacted systems held corporate data but no student data.

“As noted last year at the time of the attack, the information accessed was only corporate-related data. No further specifics will be provided. Also, no student information was impacted since such information is not maintained on the corporate system,” Serpe said. “EdisonLearning has been working diligently with subject matter specialists, including legal counsel and forensic analysts, since the incident to investigate and confirm the scope of the potentially impacted data. Following the initial investigation, EdisonLearning undertook a comprehensive, time-intensive process to confirm precisely what information was involved, to identify the contact information for those individuals potentially impacted, and to provide notice in accordance with our relevant obligations. Additionally, we instituted a number of new internal security protocols, which we would rather not specify.”

ClassAction.org attorneys are asking individuals who received a notice stating they were impacted to contact them by completing an online form.

According to the ClassAction.org investigation announcement, EdisonLearning first sent a preliminary notice of the breach to its current employees on April 14, 2023, alerting them that they “may have been impacted by the incident.” 

The company began mailing written notices of the incident to other affected individuals on February 21, 2024, the same day the breach notification was posted on the Vermont AG’s website.

Based in Fort Lauderdale, Florida, EdisonLearning was founded in 1992 as the Edison Project to provide school management services for public charter schools and struggling districts in the United States and United Kingdom. 

According to an archived 2015 website page, EdisonLearning has managed hundreds of schools in 32 states, serving millions of students over the years. A 2012 EdisonLearning sales presentation viewed by THE Journal states that during the 2009–2010 school year, the company’s services were providing schooling for 400,000 children in 25 states, the U.K., and the United Arab Emirates. The information did not list the number of people employed by the company.

More recently, EdisonLearning has expanded to provide virtual schooling for middle and high school students as well as CTE courses for high school students, social-emotional learning courses for middle and high school, and more. The company operates its own in-house learning management system, called eSchoolware, and on its website touts other services such as “management solutions, alternative education, personal learning plans, and turnaround services for underperforming schools.”

Featured

  • tool icons with variety of business icons

    SETDA Releases Free EdTech Quality Action Toolkit

    The State Educational Technology Directors Association (SETDA) has put together a free K-12 EdTech Quality Action Toolkit that provides a framework for evaluating education technology products as well as guidance on regulatory compliance, templates for communicating with vendors, training resources, and more.

  • cyber security padlock

    Report: AI Adoption Forces Trade-Off Between Speed and Identity Security

    AI adoption is forcing enterprises to trade security for speed — and identity controls are the first casualty, according to a new report from Delinea, a provider of identity security solutions for both human and AI agent identities.

  • Neon blue security locks with a single red highlight

    With AI, Cybersecurity Focus Shifts from Finding Flaws to Fixing Them

    For decades, one of cybersecurity's biggest challenges has been finding vulnerabilities before attackers do. A growing number of security professionals now say artificial intelligence is changing that equation, shifting the focus from discovering flaws to fixing them quickly enough to prevent exploitation.

  • abstract data flow

    Google Announces New Gemini Enterprise Agent Platform

    Google Cloud has introduced a new platform for building and managing enterprise AI agents, as the company seeks to turn its Gemini models and Vertex AI tooling into a broader system for automating business workflows.