Two More Districts, in California & Washington, Add 22K to Number of Students Impacted by Illuminate Breach

  • By Kristal Kuykendall
  • 07/05/22

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach. Find more details about the Illuminate data breach — such as why New York is investigating the ed tech company and why cybersecurity experts say transparency should be mandated — in this previous report.

Two more school districts have filed state-mandated notification letterswith their respective state Attorney Generals revealing that their students — a combined total of at least 22,000 — were among the millions across the country impacted by the Illuminate Education breach of private student data.

Waterford Unified School Districtin California and Renton School District in Washington have joined the hundreds of schools across six states that have notified parents of the breach.

Waterford USD, like other California districts known to have been impacted, posted a form letter, dated July 1, from Illuminate on the California Attorney General’s data breach notification website. The letter does not specify the number of students impacted; Waterford USD had about 1,700 students enrolled in the most recent school year, according to its website.

Renton School District’s notification letter was filed on June 21 by attorneys at Lewis Brisbois law firm on behalf of the district and posted to the Washington Attorney General data breach notification website; it states that the district first learned it was impacted by the breach on May 4 and on May 31 district IT officials confirmed that “some personal information” belonging to 20,509 Washington residents was stolen during the Illuminate breach. Renton’s enrollment is about 15,500, according to its website, indicating that current as well as former students were impacted.

The Renton School District data that was breached included “student names, student identification numbers, academic and behavior information, enrollment information, accommodation information, and student demographic information,” according to the notification letter.

The Illuminate Education data breach occurred during a January 2022 cyberattack targeting Illuminate Education’s systems and is known to have impacted the nation’s two largest school districts, New York City Department of Education with about 820,000 students currently enrolled and Los Angeles Unified with 430,000 students, along with hundreds of other schools across New York state, 24 other districts in California, nine districts in Colorado, four in Connecticut, one in Oklahoma, and one in Washington state.

Most of the notifications shared by districts included in the breach have used a template, or portions of it, signed by Illuminate Education. It states that Social Security numbers were not part of the private information that was stolen during the cyberattack. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioralrecords, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

Many of the districts’ notifications have said that current as well as former students from as many as 10 years ago had their private data stolen in the breach; New York State Department of Education officials have estimated that “at least 2 million” statewide were impacted, leading to THE Journal’s estimated impact of at least 3 million, when counting those currently enrolled at the impacted districts in other states.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of data breaches. Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools, but the company declined to specify the total number of U.S. students impacted, in multiple email communications with THE Journal.

California requires a notice of a data breach to be posted on the attorney general’s website, but the notices do not include any details such as what data was stolen, nor the number of students affected; the same is true in Washington state.

Oklahoma City Public Schools on May 13 notified parents that its 34,000 students were also impacted by the Illuminate Education data breach; thus far, it is the only district in Oklahoma known to have been impacted. Oklahoma has no statewide public disclosure requirements, so it’s left up to local districts to decide whether and how to notify parents in the event of a breach of student data, Oklahoma Department of Education officials told THE Journal last month.

In Colorado, where nine districts have publicly disclosed that the Illuminate breach included the data of their combined 140,000 students, there is no legal mandate for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.

Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.

Featured

  • An elementary school teacher and young students interact with floating holographic screens displaying colorful charts and playful data visualizations in a minimalist classroom setting

    New AI Collaborative to Explore Use of Artificial Intelligence to Improve Teaching and Learning

    Education-focused nonprofits Leading Educators and The Learning Accelerator have partnered to launch the School Teams AI Collaborative, a yearlong pilot initiative that will convene school teams, educators, and thought leaders to explore ways that artificial intelligence can enhance instruction.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • closeup of laptop and smartphone calendars

    2024 Tech Tactics in Education Conference Agenda Announced

    Registration is free for this fully virtual Sept. 25 event, focused on "Building the Future-Ready Institution" in K-12 and higher education.

  • cloud icon connected to a data network with an alert symbol (a triangle with an exclamation mark) overlaying the cloud

    U.S. Department of Commerce Proposes Reporting Requirements for AI, Cloud Providers

    The United States Department of Commerce is proposing a new reporting requirement for AI developers and cloud providers. This proposed rule from the department's Bureau of Industry and Security (BIS) aims to enhance national security by establishing reporting requirements for the development of advanced AI models and computing clusters.