EdisonLearning Breach in 2023 Subject of Class-Action Inquiry as Official Notification is Posted

Attorneys working with ClassAction.org are “investigating whether a class-action lawsuit can be filed” against EdisonLearning on behalf of individuals whose name and Social Security number were among files stolen during a ransomware attack in early March 2023.

The cyberattack targeting public school management and virtual learning provider EdisonLearning became publicly known last April when the Royal ransomware gang posted on its dark web data leak site that it had stolen 20GB of the company’s data “including personal information of employees and students” and threatened to post the data “early next week.” 

“Looks like knowledge providers missed some lessons of cyber security [sic]. Recently we gave one to EdisonLearning and they have failed,” read the April 26, 2023 post by the Royal gang.

A screenshot from April 26, 2023 shows the dark web leak site of The Royal Ransomware gang and its threat to release data it claimed to have stolen from EdisonLearning

THE Journal first reported on the breach on May 2, 2023.

Last week, EdisonLearning’s data breach notification was posted on the Vermont Attorney General’s website, dated Feb. 21, 2024. The notice states: “On or about March 17, 2023, EdisonLearning became aware of suspicious activity within our systems. We immediately took steps to secure our systems and launched an investigation into the nature and scope of the activity with the assistance of third-party specialists. Through our investigation we determined that an unauthorized actor accessed certain computer systems in our network between March 7, 2023, and March 17, 2023, and downloaded certain files stored in those locations.”

The types of breached information is redacted from the notice, but according to ClassAction.org, the stolen information “may include the names and Social Security numbers of individuals associated with the company.” 

“To date, we are unaware of the actual misuse of this information as a result of the event,” EdisonLearning’s notice states.

At the time of the initial reporting of the ransomware group’s threat, EdisonLearning confirmed a cyber incident had occurred and said it could not divulge anything else. 

It is not clear whether the stolen data was ever posted on Royal’s dark web leak site because the gang's website has since been removed; in November 2023, CISA and the FBI said the Royal gang had hacked more than 350 known victims and demanded ransoms exceeding $275 million, adding that the group might be “rebranding” under the name Blacksuit.

EdisonLearning Director of Communications Michael Serpe confirmed in an email to THE Journal today that the impacted systems held corporate data but no student data.

“As noted last year at the time of the attack, the information accessed was only corporate-related data. No further specifics will be provided. Also, no student information was impacted since such information is not maintained on the corporate system,” Serpe said. “EdisonLearning has been working diligently with subject matter specialists, including legal counsel and forensic analysts, since the incident to investigate and confirm the scope of the potentially impacted data. Following the initial investigation, EdisonLearning undertook a comprehensive, time-intensive process to confirm precisely what information was involved, to identify the contact information for those individuals potentially impacted, and to provide notice in accordance with our relevant obligations. Additionally, we instituted a number of new internal security protocols, which we would rather not specify.”

ClassAction.org attorneys are asking individuals who received a notice stating they were impacted to contact them by completing an online form.

According to the ClassAction.org investigation announcement, EdisonLearning first sent a preliminary notice of the breach to its current employees on April 14, 2023, alerting them that they “may have been impacted by the incident.” 

The company began mailing written notices of the incident to other affected individuals on February 21, 2024, the same day the breach notification was posted on the Vermont AG’s website.

Based in Fort Lauderdale, Florida, EdisonLearning was founded in 1992 as the Edison Project to provide school management services for public charter schools and struggling districts in the United States and United Kingdom. 

According to an archived 2015 website page, EdisonLearning has managed hundreds of schools in 32 states, serving millions of students over the years. A 2012 EdisonLearning sales presentation viewed by THE Journal states that during the 2009–2010 school year, the company’s services were providing schooling for 400,000 children in 25 states, the U.K., and the United Arab Emirates. The information did not list the number of people employed by the company.

More recently, EdisonLearning has expanded to provide virtual schooling for middle and high school students as well as CTE courses for high school students, social-emotional learning courses for middle and high school, and more. The company operates its own in-house learning management system, called eSchoolware, and on its website touts other services such as “management solutions, alternative education, personal learning plans, and turnaround services for underperforming schools.”

Featured

  • stylized illustration of an open guidebook with a glowing AI symbol hovering above

    ED Releases Toolkit for Intentional Use of AI in Education

    The United States Department of Education's Office of Educational Technology has released a new resource to help education leaders navigate AI adoption while ensuring student protection.

  • zSpace Imagine Learning Solution

    zSpace Debuts Headset-Free AR/VR System

    Immersive learning company zSpace has announced the zSpace Imagine Learning Solution, a headset-free AR/VR laptop system designed for elementary education. The all-in-one platform integrates hardware, software, and hands-on lessons to create dynamic learning experiences for young students.

  • A geometric pattern of open Chromebook computers with bold outlines, subtle shading, and soft gradients, spaced evenly with vibrant green and blue accents on a neutral background.

    Challenges and Opportunities Ahead for the 'Great Chromebook Refresh'

    During the pandemic, the education community scrambled to provide students with laptops to promote online learning equity and mitigate learning loss. Today, those devices are approaching the end of their useful lives — and a "great Chromebook refresh" has been predicted as schools seek to replace them with newer models.  

  • THE Journal Product Award logo

    THE Journal Announces 2024 Product of the Year Winners

    Seventeen companies were selected as winners for their product achievements.