Stolen Student Data

Number of Districts Impacted by Illuminate Student Data Breach Grows as a Third Alerts Parents

• By Kristal Kuykendall
• 04/25/22

The number of school districts whose student data was breached during a January cyberattack on Illuminate Education’s systems continues growing as a third district has alerted parents their students’ personal information was compromised.

Last week, two school districts — Coventry in Connecticut and Mesa County Valley in Colorado — announced that they’d been notified by Illuminate that their students’ data had been breached. Both districts cited Illuminate’s Educlimber software for student assessments and progress monitoring.

When Illuminate’s systems were hit in January, all of its school software products were knocked off-line for a week or more, according to its service status site; the company’s website states that its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

For months, Illuminate remained quiet about the cyberattack, then last month the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post they want state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

A data breach affecting 820,000 students would make it the largest single-school data breach in U.S. history, cybersecurity expert Doug Levin told THE Journal last month. It appears now that the breach affected even more students, he added last week. Confirmation of more school data breaches related to the cyberattack on Illuminate systems “suggests that maybe the Illuminate Education breach is bigger than New York City,” said Levin, who is national director of cybersecurity nonprofit K12 Security Information Exchange.

Illuminate Education told THE Journal last month via email that a data breach impacting NYC schools occurred during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were impacted. Illuminate has not responded to additional emails and phone calls seeking more information.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in a March email reply to THE Journal. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

Since then, two more schools have publicly announced they were impacted by the data breach.

Last Monday, on April 18, Coventry Public Schools in Connecticut posted a notice on its website stating that student data within the Illuminate software it uses, eduClimber, had been compromised; the district said Illuminate is mailing a letter to parents offering “complimentary” identity monitoring service for a year. Coventry has a total enrollment of about 1,650 students, according to its website.

Last Friday, on April 22, the superintendent of Mesa County Valley School District 51 in Grand Junction, Colo., wrote in her Weekly Update that the district “recently received a letter from Illuminate Education (parent company of Educlimber) stating that some potentially protected data involving past or current students may have been accessed during a breach of Illuminate Education’s database.”

D51, as it is known locally, has about 21,000 current students and is the 14th-largest school district in Colorado.

“The databases impacted by the unauthorized access may have included student names, academic and behavior information, enrollment information, accommodation information, special education information, and demographic information,” wrote D51 Superintendent Diana Sirko. “Social security numbers and financial information was not part of the breach. We are taking this seriously and have requested a full report on the breached files. We will notify the Attorney General’s Office once we have the files and notify any affected students and their families.”

Coventry Public Schools’ notice to parents said: “We are writing to inform you that one of our vendors experienced a data breach of an application which houses student data for Coventry Public Schools. Illuminate Education is an education company that provides applications and technology support to school districts, including eduCLIMBER which is used in our district. We were recently notified of an incident that may affect the security of some of your child's information. According to Illuminate Education, affected databases included names along with demographic and academic related information for some current and former students. We have been told there is no evidence that any information was subject to actual or attempted misuse.

“Coventry Public Schools is working in partnership with Illuminate Education to help support affected families with this incident. Affected families will be receiving a mailing from Illuminate Education offering those children complimentary access to 12 months of identity monitoring services through IDX. The letters will contain information on how to enroll if you elect to do so, along with additional information regarding data privacy.”