Ed Tech Cybersecurity

Illuminate Data Breach Impact in CO Grows to 8 Districts Plus 1 CA District and 3 in CT

Reach of Cyberattack That Compromised Over 1M Students' Data at 565 Schools in NY Still Spreading Nationally

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach

The impact of the Illuminate Education data breach that occurred in January continues growing as more K–12 school districts in Colorado and Connecticut and one in California have notified parents that their students, too, had their private information stolen.

Eight school districts in Colorado — with total current enrollment of about 136,700 students — have recently alerted parents that current and former students were impacted in the breach, which Illuminate has said was discovered after it began investigating suspicious access to its systems in early January.

The incident at Illuminate resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.

The New York State Education Department last week told THE Journal that 565 schools in the state — including “at least” 1 million current and former students — were among those impacted by the Illuminate data breach, and data privacy officials there opened an investigation on April 1.

The list of all New York schools impacted by the data breach was sent to THE Journal in response to a Freedom of Information request; NYSED officials said the list came from Illuminate. Each impacted district was working to confirm how many current and former students were among those whose data were compromised, and each is required by law to report those totals to NYSED, so the total number of students affected was expected to grow, the department said last week.

Since late April, the following school districts have confirmed in letters to parents or on their websites that current and/or former students were impacted by the data breach:

Colorado Districts Known as Impacted by Data Breach:

California Districts Known as Impacted by Data Breach:

Connecticut Districts Known as Impacted by Data Breach:

  • Coventry Public Schools in Connecticut, current enrollment 1,650; did not specify the total impacted.
  • Pomperaug Regional School District 15, current enrollment about 3,600; said the breach affected students enrolled during 2017–2019 school years; the district ceased using Illuminate Education in 2019.
  • Cheshire Public Schools, current enrollment about 1,500; said the breach affected students enrolled during the 2017–2019 school years.

New York Districts Known as Impacted by Data Breach:

    As of last week, 17 local education agencies in New York — 15 districts and two charter school groups — had filed their data breach reports with NYSED showing that 179,377 current and former students had their private data stolen during the incident, according to the document sent to THE Journal. That total does not include the number impacted at NYC Schools, where officials said in late March that about 820,000 current and former students had been impacted by the Illuminate breach.

    All but one of the agencies whose data breach reports have been filed with the state said that more students were impacted than were currently enrolled, meaning both current and former students were impacted by the breach. For example, Success Academy Charter Schools, which has nearly 3 dozen schools in its network, reported 55,595 students affected by the breach, while current enrollment is just under 20K.

    The exact number of New York students impacted by the data breach was not yet available, Deputy Director of Communications J.P. O’Hare said: “According to the information that NYSED has obtained to date, at least 1 million New York State students have been impacted.”

    O’Hare’s email came in response to questions from THE Journal about a data breach notification letter template that NYSED posted on its website to guide New York schools in telling parents about their students’ private data being compromised during the Illuminate cyberattack.

    Because districts and BOCES schools make decisions locally about which software to use in their schools, NYSED said last week it was not yet certain how many schools use Illuminate Education half-dozen K–12 software products.

    The department is investigating whether Illuminate was meeting data protection standards required under state law — standards it contractually agreed to with its clients within the state, NYSED said.

    New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

    When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

    New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.”

    For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in late March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

    Illuminate Education told THE Journal via email that the students’ data was compromised during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were also impacted by the breach.

    Illuminate has said the breach did not include Social Security numbers; notification letters since shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

    Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

    Why No One Knows How Many Districts Were Impacted in Other States

    Most states do not closely oversee the protection of student data either within public school districts or by vendors whose school software products collect student data, and only a few states have laws mandating public disclosure of cyberincidents where private data is compromised. New York is one of a handful of exceptions.

    In Colorado, for example, there is no requirement for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal today. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

    California law requires districts impacted by data breaches to file a notice with the state Attorney General’s office, which posts them online.

    The widespread nature of the Illuminate data breach — and the fact that the impacted districts were not notified for three months, and some are still being notified four months later — underscores the need for a “greater focus on school vendor security practices,” said Doug Levin, national director at K12 Security Information Exchange, the nation’s only nonprofit dedicated to K–12 school cybersecurity.

    “Vendors such as Illuminate Education hold confidential records on millions of current and former students and staff,” Levin told THE Journal. “Ensuring that K–12 vendors have a robust cybersecurity risk management program — including third-party audits and the national cybersecurity certifications — should be the bar for entry to the school market, not the exception. The veil of secrecy around this incident only serves to obscure the steps necessary to ensure this situation is avoided in the future.”

    K12SIX’s annual State of K–12 Cybersecurity Year in Review report released in March emphasized a need for greater oversight and mandated public disclosure of all cyber incidents where threat actors gain access to the personal, private data of students or school employees.

    Levin said the danger of identity theft is far greater for a minor whose personal information was stolen than for an adult.

    “You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

    The risk to those whose personal data is stolen is not hypothetical, Levin emphasized.

    “We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”