K-12 Cybersecurity News

Illuminate Data Breach Spreads to Fifth State as Oklahoma City Notifies Parents

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach.

Oklahoma City Public Schools has added its 34,000 students to the growing list of those impacted by the Illuminate Education data breach that occurred during a January cyberattack — the first in Oklahoma known to have been among the K–12 schools and districts whose private student data was compromised within Illuminate’s systems.

On Friday, May 13, OKCPS emailed parents and staff members to alert them that “certain information belonging to OKCPS that was in Illuminate’s possession” may have been breached during the January cyberattack targeting Illuminate. The letter does not specify what type of private student data was compromised; most other impacted districts have said in their notifications that the breach did not include Social Security numbers.

“Illuminate has assured us that they are taking all necessary steps with the assistance of their IT staff and a team of third-party computer specialists to investigate this incident,” OKCPS’ email to parents said, adding that Illuminate was mailing letters to parents of impacted students with more information on the incident and how to protect students from identity theft.

The email was first reported by Oklahoma City Free Press over the weekend and was confirmed by THE Journal today with OKCPS officials.

The district email said OKCPS “does not have any details about this incident or the investigation” and shared a phone number for an Illuminate Education “dedicated call center” for those potentially impacted by the data breach and encouraged parents with questions to contact the call center at (833) 749-1673.

The Illuminate data breach is, thus far, known to have impacted nearly 2 million current students including more than 820,000 in New York City alone. Many districts and schools have said in their notification letters that current as well as former students had their private information compromised.

Within recent weeks, eight school districts in Colorado with total current enrollment of about 136,700 have alerted parents that current and former students were involved in the breach. Three Connecticut districts and one in California have also published data breach notifications to parents.

Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.

Hard-Hit New York Responds with Investigation of Illuminate

The New York State Education Department on May 5 told THE Journal that 567 schools in the state — including “at least” 1 million current and former students — were among those impacted by the Illuminate data breach, and NYSED data privacy officials opened an investigation on April 1.

The list of all New York schools impacted by the data breach was sent to THE Journal in response to a Freedom of Information request; NYSED officials said the list came from Illuminate. Each impacted district was working to confirm how many current and former students were among those whose data were compromised, and each is required by law to report those totals to NYSED, so the total number of students affected was expected to grow, the department said.

The department is investigating whether Illuminate was meeting data protection standards required under state law — standards it contractually agreed to with its clients within the state, NYSED said.

New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.”

For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in late March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

Illuminate Education told THE Journal via email that the students’ data was compromised during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were also impacted by the breach.

Illuminate has said the breach did not include Social Security numbers; notification letters since shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

Why No One Knows How Many Districts Were Impacted in Other States

Most states do not closely oversee the protection of student data either within public school districts or by vendors whose school software products collect student data, and only a few states have laws mandating public disclosure of cyberincidents where private data is compromised. New York is one of a handful of exceptions.

In Colorado, for example, there is no requirement for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal today. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

California law requires districts impacted by data breaches to file a notice with the state Attorney General’s office, which posts them online.

The widespread nature of the Illuminate data breach — and the fact that the impacted districts were not notified for three months, and some are still being notified four months later — underscores the need for a “greater focus on school vendor security practices,” said Doug Levin, national director at K12 Security Information Exchange, the nation’s only nonprofit dedicated to K–12 school cybersecurity.

“Vendors such as Illuminate Education hold confidential records on millions of current and former students and staff,” Levin told THE Journal. “Ensuring that K–12 vendors have a robust cybersecurity risk management program — including third-party audits and the national cybersecurity certifications — should be the bar for entry to the school market, not the exception. The veil of secrecy around this incident only serves to obscure the steps necessary to ensure this situation is avoided in the future.”

K12SIX’s annual State of K–12 Cybersecurity Year in Review report released in March emphasized a need for greater oversight and mandated public disclosure of all cyber incidents where threat actors gain access to the personal, private data of students or school employees.

Levin said the danger of identity theft is far greater for a minor whose personal information was stolen than for an adult.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin emphasized.

“We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”