EdisonLearning Breach in 2023 Subject of Class-Action Inquiry as Official Notification is Posted

  • By Kristal Kuykendall
  • 02/27/24

Attorneys working with ClassAction.org are “investigating whether a class-action lawsuit can be filed” against EdisonLearning on behalf of individuals whose name and Social Security number were among files stolen during a ransomware attack in early March 2023.

The cyberattack targeting public school management and virtual learning provider EdisonLearning became publicly known last April when the Royal ransomware gang posted on its dark web data leak site that it had stolen 20GB of the company’s data “including personal information of employees and students” and threatened to post the data “early next week.” 

“Looks like knowledge providers missed some lessons of cyber security [sic]. Recently we gave one to EdisonLearning and they have failed,” read the April 26, 2023 post by the Royal gang.

A screenshot from April 26, 2023 shows the dark web leak site of The Royal Ransomware gang and its threat to release data it claimed to have stolen from EdisonLearning

THE Journal first reported on the breach on May 2, 2023.

Last week, EdisonLearning’s data breach notification was posted on the Vermont Attorney General’s website, dated Feb. 21, 2024. The notice states: “On or about March 17, 2023, EdisonLearning became aware of suspicious activity within our systems. We immediately took steps to secure our systems and launched an investigation into the nature and scope of the activity with the assistance of third-party specialists. Through our investigation we determined that an unauthorized actor accessed certain computer systems in our network between March 7, 2023, and March 17, 2023, and downloaded certain files stored in those locations.”

The types of breached information is redacted from the notice, but according to ClassAction.org, the stolen information “may include the names and Social Security numbers of individuals associated with the company.” 

“To date, we are unaware of the actual misuse of this information as a result of the event,” EdisonLearning’s notice states.

At the time of the initial reporting of the ransomware group’s threat, EdisonLearning confirmed a cyber incident had occurred and said it could not divulge anything else. 

It is not clear whether the stolen data was ever posted on Royal’s dark web leak site because the gang's website has since been removed; in November 2023, CISA and the FBI said the Royal gang had hacked more than 350 known victims and demanded ransoms exceeding $275 million, adding that the group might be “rebranding” under the name Blacksuit.

EdisonLearning Director of Communications Michael Serpe confirmed in an email to THE Journal today that the impacted systems held corporate data but no student data.

“As noted last year at the time of the attack, the information accessed was only corporate-related data. No further specifics will be provided. Also, no student information was impacted since such information is not maintained on the corporate system,” Serpe said. “EdisonLearning has been working diligently with subject matter specialists, including legal counsel and forensic analysts, since the incident to investigate and confirm the scope of the potentially impacted data. Following the initial investigation, EdisonLearning undertook a comprehensive, time-intensive process to confirm precisely what information was involved, to identify the contact information for those individuals potentially impacted, and to provide notice in accordance with our relevant obligations. Additionally, we instituted a number of new internal security protocols, which we would rather not specify.”

ClassAction.org attorneys are asking individuals who received a notice stating they were impacted to contact them by completing an online form.

According to the ClassAction.org investigation announcement, EdisonLearning first sent a preliminary notice of the breach to its current employees on April 14, 2023, alerting them that they “may have been impacted by the incident.” 

The company began mailing written notices of the incident to other affected individuals on February 21, 2024, the same day the breach notification was posted on the Vermont AG’s website.

Based in Fort Lauderdale, Florida, EdisonLearning was founded in 1992 as the Edison Project to provide school management services for public charter schools and struggling districts in the United States and United Kingdom. 

According to an archived 2015 website page, EdisonLearning has managed hundreds of schools in 32 states, serving millions of students over the years. A 2012 EdisonLearning sales presentation viewed by THE Journal states that during the 2009–2010 school year, the company’s services were providing schooling for 400,000 children in 25 states, the U.K., and the United Arab Emirates. The information did not list the number of people employed by the company.

More recently, EdisonLearning has expanded to provide virtual schooling for middle and high school students as well as CTE courses for high school students, social-emotional learning courses for middle and high school, and more. The company operates its own in-house learning management system, called eSchoolware, and on its website touts other services such as “management solutions, alternative education, personal learning plans, and turnaround services for underperforming schools.”

Featured

  • glowing digital human brain composed of abstract lines and nodes, connected to STEM icons, including a DNA strand, a cogwheel, a circuit board, and mathematical formulas

    OpenAI Launches 'Reasoning' AI Model Optimized for STEM

    OpenAI has launched o1, a new family of AI models that are optimized for "reasoning-heavy" tasks like math, coding and science.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • clock with gears and digital circuits inside

    Report Estimates Cost of AI at Nearly $300K Per Minute

    A report from cloud-based data/BI specialist Domo provides a staggering estimate of the minute-by-minute impact of today's generative AI boom.

  • glowing lines connecting colorful nodes on a deep blue and black gradient background

    Juniper Intros AI-Native Networking and Security Management Platform

    Juniper Networks has launched a new solution that integrates security and networking management under a unified cloud and artificial intelligence engine.