Student Data Breach

Two More Districts, in California and Connecticut, Say Their Students' Data Included in Illuminate Education Breach

• By Kristal Kuykendall
• 06/13/22

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach. Find more details about the Illuminate data breach — such as why New York is investigating the ed tech company and why cybersecurity experts say transparency should be mandated — in this previous report.

Two more school districts have recently notified parents that their students were among the millions across the country impacted by the Illuminate Education breach of private student data.

Ventura Unified School District in California and Newtown Public Schools in Connecticut have joined the hundreds of schools across six states that have notified parents of the breach. Ventura USD, like other California districts known to have been impacted, posted a form letter, dated June 10, from Illuminate on the California Attorney General’s data breach notification website.

Ventura USD has approximately 16,300 students currently enrolled; the notification letter did not specify whether former students were also impacted by the breach, as has been the case with many other impacted districts.

Newtown Public Schools, with current enrollment of about 4,100, notified parents via email in mid-May, according to a report published today in The Newtown Bee. The newspaper reported that parents also received a template notification letter in the mail from Illuminate that was dated May 27.

The breach occurred during a January 2022 cyberattack targeting Illuminate Education’s systems and is known to have impacted the nation’s two largest school districts, New York City Department of Education with about 820,000 students currently enrolled and Los Angeles Unified with 430,000 students, along with hundreds of other schools across New York state, 24 other districts in California, nine districts in Colorado, four in Connecticut, one in Oklahoma, and one in Washington state.

Most of the notifications shared by districts included in the breach have used a template, or portions of it, signed by Illuminate Education. It states that Social Security numbers were not part of the private information that was stolen during the cyberattack. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

Many of the districts’ notifications have said that current as well as former students from as many as 10 years ago had their private data stolen in the breach; New York State Department of Education officials have estimated that “at least 2 million” statewide were impacted, leading to THE Journal’s estimated impact of at least 3 million, when counting those currently enrolled at the impacted California districts.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of data breaches. Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools, but the company declined to specify the total number of U.S. students impacted, in multiple email communications with THE Journal.

California requires a notice of a data breach to be posted on the attorney general’s website, but the notices do not include any details such as what data was stolen, nor the number of students affected; the same is true in Washington, where Impact Public Schools in South Puget Sound notified the state attorney general that its students were among those impacted by the Illuminate incident.

Oklahoma City Public Schools on May 13 notified parents that its 34,000 students were also impacted by the Illuminate Education data breach; thus far, it is the only district in Oklahoma known to have been impacted. Oklahoma has no statewide public disclosure requirements, so it’s left up to local districts to decide whether and how to notify parents in the event of a breach of student data, Oklahoma Department of Education officials told THE Journal last month.

In Colorado, where nine districts have publicly disclosed that the Illuminate breach included the data of their combined 140,000 students, there is no legal mandate for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.