Student Data Breach

Illuminate Education Breach Included Los Angeles Unified & Riverside County Districts, Pushing Total Impacted to Over 3M

California's Largest District & Riverside County Add Nearly 1 Million To the Number of Students Whose Private Data Was Stolen From Illuminate

[Updated on Aug. 11, 2022, to clarify that Desert Sands Unified School District, part of the Riverside County Office of Education group of districts, was not impacted by the breach, according to a district spokeswoman.]  

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach.

The breach of student data that occurred during a January 2022 cyberattack targeting Illuminate Education’s systems is now known to have impacted the nation’s second-largest school district, Los Angeles Unified with 430,000 students, which has notified state officials along with 24 other districts in California and one in Washington state.

The data breach notifications posted on the California Attorney General’s website in the past week by LAUSD, Ceres Unified School District with 14,000 students, and Riverside County Office of Education representing 23 districts and 431,000 students, mean that Illuminate Education’s data breach leaked the private information of well over 3 million students — and potentially several times that total.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of data breaches; Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools but declined to specify the total number of students impacted in multiple email communications with THE Journal.

An LAUSD spokesperson told THE Journal that the district takes student data privacy very seriously during the vendor vetting process; the spokesperson referred questions about the number of current and former students impacted by the Illuminate breach to the district’s public records office, which hasn’t responded to THE Journal’s request for information.

“The safety and privacy of students’ data in Los Angeles Unified School District is a top consideration and critical component of vetting any third-party tools or products used for instructional purposes in the district,” the LAUSD spokesperson said. “All providers of digital instructional software, licenses and online subscriptions must have an approved Unified Digital Instruction Protection Plan on file, which includes execution of a Data Use Agreement, and protects student personally identifiable information, product access, and the district’s network when digital instructional software requires the exchange of student and/or employee information to enable access to log in and use the product.”

The estimated total of 3 million is based on New York State Department of Education official estimates that “at least 2 million” statewide were impacted, plus the current enrollment figures of the other districts that have since disclosed their student data was also breached by Illuminate.

California requires a notice of a data breach to be posted on the attorney general’s website, but the notices do not include any details such as what data was stolen, nor the number of students affected; the same is true in Washington, where Impact Public Schools in South Puget Sound notified the state attorney general this week that its students were among those impacted by the Illuminate incident.

Oklahoma City Public Schools on May 13 added its 34,000 students to the ever-growing list of those impacted by the Illuminate Education data breach; thus far, it is the only district in Oklahoma known to have been among the hundreds of K–12 schools and districts across the country whose private student data was compromised while stored within Illuminate’s systems. Oklahoma has no statewide public disclosure requirements, so it’s left up to local districts to decide whether and how to notify parents in the event of a breach of student data, Oklahoma Department of Education officials told THE Journal recently.

In Colorado, where nine districts have publicly disclosed that the Illuminate breach included the data of their combined 140,000 students, there is no legal mandate for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

Most of the notifications shared by districts included in the breach have simply shared a template letter, or portions of it, signed by Illuminate Education. It states that Social Security numbers were not part of the private information that was stolen during the cyberattack. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.

Hard-Hit New York Responds with Investigation of Illuminate

The New York State Education Department on May 5 told THE Journal that 567 schools in the state — including “at least” 1 million current and former students — were among those impacted by the Illuminate data breach, and NYSED data privacy officials opened an investigation on April 1.

The list of all New York schools impacted by the data breach was sent to THE Journal in response to a Freedom of Information request; NYSED officials said the list came from Illuminate. Each impacted district was working to confirm how many current and former students were among those whose data were compromised, and each is required by law to report those totals to NYSED, so the total number of students affected was expected to grow, the department said.

The department is investigating whether Illuminate was meeting data protection standards required under state law — standards it contractually agreed to with its clients within the state, NYSED said.

New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.”

For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in late March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

The widespread nature of the Illuminate data breach — and the fact that the impacted districts were not notified for three months, and some are still being notified four months later — underscores the need for a “greater focus on school vendor security practices,” said Doug Levin, national director at K12 Security Information Exchange, the nation’s only nonprofit dedicated to K–12 school cybersecurity.

“Vendors such as Illuminate Education hold confidential records on millions of current and former students and staff,” Levin told THE Journal. “Ensuring that K–12 vendors have a robust cybersecurity risk management program — including third-party audits and the national cybersecurity certifications — should be the bar for entry to the school market, not the exception. The veil of secrecy around this incident only serves to obscure the steps necessary to ensure this situation is avoided in the future.”

K12SIX’s annual State of K–12 Cybersecurity Year in Review report released in March emphasized a need for greater oversight and mandated public disclosure of all cyber incidents where threat actors gain access to the personal, private data of students or school employees.

Levin said the danger of identity theft is far greater for a minor whose personal information was stolen than for an adult.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin emphasized.

“We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”