EdisonLearning Breach in 2023 Subject of Class-Action Inquiry as Official Notification is Posted

Attorneys working with ClassAction.org are “investigating whether a class-action lawsuit can be filed” against EdisonLearning on behalf of individuals whose name and Social Security number were among files stolen during a ransomware attack in early March 2023.

The cyberattack targeting public school management and virtual learning provider EdisonLearning became publicly known last April when the Royal ransomware gang posted on its dark web data leak site that it had stolen 20GB of the company’s data “including personal information of employees and students” and threatened to post the data “early next week.” 

“Looks like knowledge providers missed some lessons of cyber security [sic]. Recently we gave one to EdisonLearning and they have failed,” read the April 26, 2023 post by the Royal gang.

A screenshot from April 26, 2023 shows the dark web leak site of The Royal Ransomware gang and its threat to release data it claimed to have stolen from EdisonLearning

THE Journal first reported on the breach on May 2, 2023.

Last week, EdisonLearning’s data breach notification was posted on the Vermont Attorney General’s website, dated Feb. 21, 2024. The notice states: “On or about March 17, 2023, EdisonLearning became aware of suspicious activity within our systems. We immediately took steps to secure our systems and launched an investigation into the nature and scope of the activity with the assistance of third-party specialists. Through our investigation we determined that an unauthorized actor accessed certain computer systems in our network between March 7, 2023, and March 17, 2023, and downloaded certain files stored in those locations.”

The types of breached information is redacted from the notice, but according to ClassAction.org, the stolen information “may include the names and Social Security numbers of individuals associated with the company.” 

“To date, we are unaware of the actual misuse of this information as a result of the event,” EdisonLearning’s notice states.

At the time of the initial reporting of the ransomware group’s threat, EdisonLearning confirmed a cyber incident had occurred and said it could not divulge anything else. 

It is not clear whether the stolen data was ever posted on Royal’s dark web leak site because the gang's website has since been removed; in November 2023, CISA and the FBI said the Royal gang had hacked more than 350 known victims and demanded ransoms exceeding $275 million, adding that the group might be “rebranding” under the name Blacksuit.

EdisonLearning Director of Communications Michael Serpe confirmed in an email to THE Journal today that the impacted systems held corporate data but no student data.

“As noted last year at the time of the attack, the information accessed was only corporate-related data. No further specifics will be provided. Also, no student information was impacted since such information is not maintained on the corporate system,” Serpe said. “EdisonLearning has been working diligently with subject matter specialists, including legal counsel and forensic analysts, since the incident to investigate and confirm the scope of the potentially impacted data. Following the initial investigation, EdisonLearning undertook a comprehensive, time-intensive process to confirm precisely what information was involved, to identify the contact information for those individuals potentially impacted, and to provide notice in accordance with our relevant obligations. Additionally, we instituted a number of new internal security protocols, which we would rather not specify.”

ClassAction.org attorneys are asking individuals who received a notice stating they were impacted to contact them by completing an online form.

According to the ClassAction.org investigation announcement, EdisonLearning first sent a preliminary notice of the breach to its current employees on April 14, 2023, alerting them that they “may have been impacted by the incident.” 

The company began mailing written notices of the incident to other affected individuals on February 21, 2024, the same day the breach notification was posted on the Vermont AG’s website.

Based in Fort Lauderdale, Florida, EdisonLearning was founded in 1992 as the Edison Project to provide school management services for public charter schools and struggling districts in the United States and United Kingdom. 

According to an archived 2015 website page, EdisonLearning has managed hundreds of schools in 32 states, serving millions of students over the years. A 2012 EdisonLearning sales presentation viewed by THE Journal states that during the 2009–2010 school year, the company’s services were providing schooling for 400,000 children in 25 states, the U.K., and the United Arab Emirates. The information did not list the number of people employed by the company.

More recently, EdisonLearning has expanded to provide virtual schooling for middle and high school students as well as CTE courses for high school students, social-emotional learning courses for middle and high school, and more. The company operates its own in-house learning management system, called eSchoolware, and on its website touts other services such as “management solutions, alternative education, personal learning plans, and turnaround services for underperforming schools.”

Featured