IO Classroom Cyberattack in January Compromised Personal Data of Over 800K NYC Students

Illuminate Education Confirms January Outages Affecting 5M Students Included a Data Breach, Declines to Disclose Whether Other Districts' Data Impacted

• By Kristal Kuykendall
• 03/28/22

A January cyberattack targeting Illuminate Education’s digital grading, attendance, and parent-teacher communication platforms used by New York City’s public schools resulted in a data breach affecting about 820,000 current and former students, according to a report published over the weekend by the New York Post.

That would make it the largest known breach of K–12 students’ personal data at a single district in U.S. history, according to K12 Security Information Exchange National Director Doug Levin. 

The number of students whose personal data was compromised could actually be much larger. The outages in the January incident impacted all the approximately 7,500 public K–12 schools that use Illuminate’s IO Classroom solutions. IO Classroom serves about 5 million U.S. students, according to past statements by the company.

Illuminate Education told THE Journal today that it has confirmed that a data breach occurred during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were impacted.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in a statement emailed to THE Journal. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

The Post reported late Friday that the cyber attacker had gained access to students’ names, birthdays, ethnicities, and English-speaking, special-education, and free-lunch statuses, quoting unnamed sources at the city’s Department of Education.

Illuminate Education’s ed tech solutions include IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others. The company, based in Irvine, California, declined to answer — in its email response to THE Journal on Monday — whether any other school districts may have been impacted by the data breach from the January service outages.

Illuminate Education previously confirmed outages of its IO Classroom platform used by New York City schools, starting on Jan. 8. Other Illuminate platforms included during that outage — which lasted nine days for IO Classroom and longer for the other apps — were PALS, IO Assessments, IO Insights, PupilPath, and Compass. The company’s service status site posted brief updates throughout the outage but never disclosed the cause of the attack.

Levin at K12SIX told THE Journal today that it's impossible to know how many of Illuminate Education's customers may have been impacted by the data breach. "It's possible it was just New York City's data that was breached and Illuminate took down the rest of the system to be cautious," he said. "It's hard to know without more technical details from Illuminate about what happened." 

NYC education officials on Friday accused Illuminate of failing to encrypt student data kept on its IO Classroom and PupilPath platforms, according to the Post’s report, which quoted NYCDOE Chancellor David Banks as calling for authorities to investigate the ed tech provider.

The breach resulted in the theft of personal data of students from 2016–2017 school year to now, the Post reported.