Data Breach

Illuminate Education Booted from Student Privacy Pledge, Referred for Potential FTC and State AG Action

Voluntary Pledge Commitments Not Kept by Illuminate, Future of Privacy Forum Says

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach. Find more details about the Illuminate data breach — such as why New York is investigating the ed tech company for potential violations of state law and why cybersecurity experts say transparency should be mandated — in this previous report.

The Future of Privacy Forum on Monday announced it has removed Illuminate Education from the nonprofit’s list of Student Privacy Pledge signatories — the first time a company has been de-listed from the voluntary data protection pledge — and said it sent its decision and supporting facts to federal and state authorities for potential legal action against the ed tech company.

The removal decision follows FPF’s review of “publicly available information” and communications with Illuminate officials about the breach of private student data stored on Illuminate Education’s servers sometime between Dec. 28, 2021, and Jan. 8, 2022. On Jan. 8, Illuminate has since said, its staff discovered that an unauthorized party had accessed its servers, and the company shut down numerous ed tech platforms for about a week as it worked to secure its network and systems.

Eight months later, Illuminate has not made any announcement confirming the precise type of student data that was compromised, nor has it revealed the number of students impacted; according to Illuminate’s website at the time of the breach, its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

The Student Privacy Pledge, created in 2014 by FPF and the Software & Information Industry Association to provide a self-regulatory path for K–12 education technology providers, includes commitments to ethical business practices and top-line security and data protection methods. The pledge was updated in 2020 and, when a signatory breaks the promises included within the pledge, is considered enforceable by the Federal Trade Commission and state attorneys general — though that has never been tested.

“By taking the pledge, a company is making a public statement of their practices with respect to student data,” the Student Privacy Pledge website states. “Accountability comes from the Federal Trade Commission, which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for ‘unfair or deceptive trade practices.’ This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation.”

FPF said in its statement Monday it shared its decision and case information with the FTC and attorneys general in California and New York, where at least 3 million students were impacted by the data breach. “Noncompliance with the Pledge when publicly attesting to compliance may be a misleading and deceptive business practice under federal and state law if confirmed by those agencies,” FPF said.

FPF said its review sought to determine whether the company’s data protection practices meet the requirements of the Student Privacy Pledge, and it found those practices lacking.

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while at rest and in transit,” FPF said. “Such a failure to encrypt would violate several Pledge provisions, including commitments to:

  • “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information; and
  • “comply with applicable laws,” including New York state law that explicitly requires data encryption.

FPF noted that throughout “multiple communications with Illuminate, the company would not state that it encrypted all student information while at rest and in transit during the relevant time periods.”

Hard-Hit New York State Education Department is Already Investigating Illuminate

The Illuminate Education data breach is known to have impacted the nation’s two largest school districts, New York City Department of Education with about 820,000 students currently enrolled and Los Angeles Unified with 430,000 students, along with hundreds of other schools across New York state, 30 other districts in California, nine districts in Colorado, four in Connecticut, one in Oklahoma, and two in Washington state.

The estimated total of 3 million students impacted by the breach is based on New York State Department of Education official estimates that “at least 2 million” statewide were impacted, plus the current enrollment figures of the other districts that have since disclosed their student data was also breached by Illuminate.

Illuminate’s notification letters to impacted districts — many of which shared them directly on their district websites — stated that current and, in some cases, former students were impacted by the breach, and a handful of schools that publicly detailed the depth of the impact have said that private information belonging to students enrolled as many as nine years ago was among the breached data, plus the data of current students.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of student data breaches; Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools but declined to specify the number of students impacted in multiple email communications with THE Journal.

Though most states do not require public disclosure of data breaches impacting students, a few, such as New York and California, require prompt notification of parents when any student data is compromised and others leave it up to individual school districts to decide whether and how to disclose breaches, or only require notification if the students’ Social Security numbers are among the compromised data.

Illuminate has repeatedly said — through emailed statements to THE Journal and through its form-letter notification sent to districts known to be impacted — that Social Security numbers were not stored on its servers and not included in the breach. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

A New York Times report published July 31 about the Illuminate breach cited educators and administrators at impacted schools, who said the Illuminate software used by many districts to track students’ progress included “extremely confidential” information about students’ intellectual disabilities, emotional states, physical disabilities, and whether the student was homeless, for example.

“Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students,” wrote Natasha Singer in the New York Times report. “At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.”

The New York State Education Department on May 5 told THE Journal that its data privacy officials on April 1 opened an investigation into Illuminate’s handling of the data breach.

Illuminate has not responded to multiple follow-up emails and phone calls requesting more information about the incident.