IO Classroom Cyberattack in January Compromised Personal Data of Over 800K NYC Students

Illuminate Education Confirms January Outages Affecting 5M Students Included a Data Breach, Declines to Disclose Whether Other Districts' Data Impacted

A January cyberattack targeting Illuminate Education’s digital grading, attendance, and parent-teacher communication platforms used by New York City’s public schools resulted in a data breach affecting about 820,000 current and former students, according to a report published over the weekend by the New York Post.

That would make it the largest known breach of K–12 students’ personal data at a single district in U.S. history, according to K12 Security Information Exchange National Director Doug Levin. 

The number of students whose personal data was compromised could actually be much larger. The outages in the January incident impacted all the approximately 7,500 public K–12 schools that use Illuminate’s IO Classroom solutions. IO Classroom serves about 5 million U.S. students, according to past statements by the company.

Illuminate Education told THE Journal today that it has confirmed that a data breach occurred during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were impacted.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in a statement emailed to THE Journal. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

The Post reported late Friday that the cyber attacker had gained access to students’ names, birthdays, ethnicities, and English-speaking, special-education, and free-lunch statuses, quoting unnamed sources at the city’s Department of Education.

Illuminate Education’s ed tech solutions include IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others. The company, based in Irvine, California, declined to answer — in its email response to THE Journal on Monday — whether any other school districts may have been impacted by the data breach from the January service outages.

Illuminate Education previously confirmed outages of its IO Classroom platform used by New York City schools, starting on Jan. 8. Other Illuminate platforms included during that outage — which lasted nine days for IO Classroom and longer for the other apps — were PALS, IO Assessments, IO Insights, PupilPath, and Compass. The company’s service status site posted brief updates throughout the outage but never disclosed the cause of the attack.

Levin at K12SIX told THE Journal today that it's impossible to know how many of Illuminate Education's customers may have been impacted by the data breach. "It's possible it was just New York City's data that was breached and Illuminate took down the rest of the system to be cautious," he said. "It's hard to know without more technical details from Illuminate about what happened." 

NYC education officials on Friday accused Illuminate of failing to encrypt student data kept on its IO Classroom and PupilPath platforms, according to the Post’s report, which quoted NYCDOE Chancellor David Banks as calling for authorities to investigate the ed tech provider.

The breach resulted in the theft of personal data of students from 2016–2017 school year to now, the Post reported.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • robot typing on a computer

    Microsoft Unveils 'Computer Use' Automation in Copilot Studio

    Microsoft has announced a new AI-powered feature called "computer use" for its Copilot Studio platform that allows agents to directly interact with Web sites and desktop applications using simulated mouse clicks, menu selections and text inputs.

  • AI microchip under cybersecurity attack, surrounded by symbols of threats like a skull, spider, lock, and warning shield

    Report Finds Agentic AI Protocol Vulnerable to Cyber Attacks

    A new report from Backslash Security has identified significant security vulnerabilities in the Model Context Protocol (MCP), technology introduced by Anthropic in November 2024 to facilitate communication between AI agents and external tools.

  • educators seated at a table with a laptop and tablet, against a backdrop of muted geometric shapes

    HMH Forms Educator Council to Inform AI Tool Development

    Adaptive learning company HMH has established an AI Educator Council that brings together teachers, instructional coaches and leaders from school district across the country to help shape its AI solutions.

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Introduces Stand-Alone AI App

    Meta Platforms has launched a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.