School Data Breach

565 Schools, Over 1M Students in NY Impacted by Illuminate Data Breach, NYSED Says; 2nd Colorado District Notifies Parents

Investigation Launched into Illuminate Data Protection Practices, Official Tells THE Journal

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach

The New York State Education Department says 565 schools in the state — including over 1 million current and former students — were among those whose private student data was compromised during a January cyberattack on Illuminate Education’s systems, and officials have opened an investigation, NYSED told THE Journal.

The list of New York schools impacted by the data breach was sent to THE Journal today in response to a Freedom of Information request; NYSED officials said the list came from Illuminate. New York state has just over 4,400 schools in all, according to NYSED’s website.

Under New York law, each local education agency impacted by a breach must file a detailed report with NYSED within a week confirming the number of current and former students and/or staff whose data was compromised. That process is ongoing, according to the email received today from the NYSED Records Office.

Also this week, another district in Colorado has announced it, too, was impacted by the Illuminate data breach. According to 9News KUSA-TV in Denver, Douglas County School District — Colorado’s third largest with 64,000 students — sent a note to parents this week. “The district said the company, Illuminate Education, provides apps and tech support to schools across the country, including the Douglas County School District,” 9News reported. “They said ‘an unauthorized third party’ gained access to a dataset containing student information.” The letter did not specify how many students had been impacted.

Douglas County is the second in Colorado to notify parents it was impacted by a data breach within Illuminate Education’s systems; Mesa County Valley School District 51 in Grand Junction, Colo., with enrollment of about 21,000. A district in Connecticut, Coventry Public Schools, with enrollment of about 1,650 also has announced it was impacted by the Illuminate data breach.

List of All NY Schools Impacted By Illuminate Data Breach

In response to a Freedom of Information request by THE Journal, New York State Education Department officials released a list of all schools in New York known to have been affected by the Illuminate data breach stemming from a January cyberattack targeting the ed tech provider. Read More.

Thus far, 17 local education agencies in New York — 15 districts and two charter school groups — have filed their data breach reports with NYSED showing that 179,377 current and former students had their private data stolen during the incident, according to the document sent to THE Journal. That total does not include the number impacted at NYC Schools, where officials said in late March that about 820,000 current and former students had been impacted by the Illuminate breach.

Chart shows the confirmed number of students affected by Illuminate Education data breach at New York State education agencies who have completed their state reporting; hundreds more schools are expected to file their privacy incident reports in the coming days.

All but one of the agencies whose data breach reports have been filed with the state show more students impacted than currently enrolled; for example, Success Academy Charter Schools, which has nearly 3 dozen schools in its network, reported 55,595 students affected by the breach, while the enrollment figures on NYSED’s website total just under 20K.

Earlier this week, a NYSED official told THE Journal that its Chief Privacy Officer on April 1 launched an investigation into the data breach.

The exact number of New York students impacted by the data breach was not readily available, Deputy Director of Communications J.P. O’Hare said: “According to the information that NYSED has obtained to date, at least 1 million New York State students have been impacted.”

O’Hare’s email came in response to questions from THE Journal about a data breach notification letter template that NYSED posted on its website to guide New York schools in telling parents about their students’ private data being compromised during the Illuminate cyberattack.

Because districts and BOCES schools make decisions locally about which software to use in their schools, NYSED is not yet certain how many schools use Illuminate Education half-dozen K–12 software products — all of which were off-line for a week or more during the January cyberattack, according to its service status site. The company’s website states that its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.

New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

“NYSED privacy office has undertaken an investigation of the Illuminate Education breach,” he told THE Journal. “As part of that investigation, NYSED’s privacy office has asked all school districts and charter schools to complete a survey providing information as to what Illuminate Education products, if any, were or are used by the school.”

What New York’s Law Says & Why It Matters

New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.” After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify (NYSED) within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery.”

For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in late March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

Illuminate Education told THE Journal in response to emailed questions about the NYC data breach that the students’ data was compromised during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were also impacted by the breach and now at risk of identity theft. Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” Illuminate Education said in a March email reply to THE Journal. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again. Please note that we do not store financial information or Social Security numbers on our systems so these types of information were not affected.”

A data breach affecting 820,000 students would qualify as the largest single-school data breach in U.S. history, cybersecurity expert Doug Levin told THE Journal last month. Confirmation of more school data breaches related to the January cyberattack on Illuminate systems raises many serious questions that demand answers, said Levin, who is national director for the nation’s only nonprofit dedicated to K–12 school cybersecurity, called K12 Security Information Exchange.

“When did Illuminate Education learn of the incident? How did they respond? How is that multiple schools both inside and outside of New York were affected by this incident,” Levin asked rhetorically. “Why did it take so long for Illuminate Education to inform affected parties? What is the total number of records exposed? Have all the affected individuals been notified? If not, when will they be?”

The data breach within Illuminate’s systems underscores the need for a “greater focus on school vendor security practices,” he added.

“Vendors such as Illuminate Education hold confidential records on millions of current and former students and staff,” Levin said. “Ensuring that K–12 vendors have a robust cybersecurity risk management program — including third-party audits and the national cybersecurity certifications — should be the bar for entry to the school market, not the exception. The veil of secrecy around this incident only serves to obscure the steps necessary to ensure this situation is avoided in the future.”

K12SIX’s annual State of K–12 Cybersecurity Year in Review report released in March emphasized a need for greater oversight and mandated public disclosure of all cyber incidents where threat actors gain access to the personal, private data of students or school employees.

K–12 schools are not required in most states to publicly disclose cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, the report said. (New York is one of a handful of exceptions.) Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, K12SIX’s report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

The danger of identity theft is far greater for a minor whose personal information was stolen than for an adult, Levin told THE Journal in March, after the Year in Review report was released.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin said.

“We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”

The NYSED Data Breach Notification Template

About a week ago, NYSED posted the following on its website:

“Guidance from the New York State Education Department’s Privacy Office regarding the notification of former students is that each educational agency must do the best it can to notify all students, current and former, regarding the Illuminate Education breach.

“Therefore, each educational agency must notify all former students for whom it has any address or location information, including an email address. Additionally, it is advised that each educational agency maintain a list of the current students’ parent/guardians and former students it attempted to notify individually.

“Finally, a notice on the educational agency’s web page is appropriate because of the past years the breach includes.”

The post goes on to share a “sample web page notification” for schools to “use when notifying the parents/guardian of current students, eligible students, and in this case former students as well as potentially, teachers and principals, about the Illuminate Education breach.”

The notification template to alert parents and staff reads as follows:

“In accordance with State Education Law 2-d we are required to notify you when a third-party contractor that receives student data or teacher or principal data pursuant to a contract or written agreement with us had an unauthorized release of such data. As such, this notice is to inform you that Illuminate Education, an educational software company which products are used in our school district/charter school, has informed us that some databases containing potentially protected student information were subject to unauthorized access between December 28, 2021, and January 8, 2022.

“According to Illuminate Education the affected databases included names, demographic and academic information. The data accessed pertains to the following school years, (insert years).

“Affected current students and former students for which we have contact information, teachers and principals where applicable will receive a letter from us/Illuminate Education with more information on the information accessed. … If you are a former student and would like additional information, please contact us at (phone number) or be email at (email address), so that we may send you a letter with additional information on the data accessed.”