EdisonLearning Breach in 2023 Subject of Class-Action Inquiry as Official Notification is Posted

  • By Kristal Kuykendall
  • 02/27/24

Attorneys working with ClassAction.org are “investigating whether a class-action lawsuit can be filed” against EdisonLearning on behalf of individuals whose name and Social Security number were among files stolen during a ransomware attack in early March 2023.

The cyberattack targeting public school management and virtual learning provider EdisonLearning became publicly known last April when the Royal ransomware gang posted on its dark web data leak site that it had stolen 20GB of the company’s data “including personal information of employees and students” and threatened to post the data “early next week.” 

“Looks like knowledge providers missed some lessons of cyber security [sic]. Recently we gave one to EdisonLearning and they have failed,” read the April 26, 2023 post by the Royal gang.

A screenshot from April 26, 2023 shows the dark web leak site of The Royal Ransomware gang and its threat to release data it claimed to have stolen from EdisonLearning

THE Journal first reported on the breach on May 2, 2023.

Last week, EdisonLearning’s data breach notification was posted on the Vermont Attorney General’s website, dated Feb. 21, 2024. The notice states: “On or about March 17, 2023, EdisonLearning became aware of suspicious activity within our systems. We immediately took steps to secure our systems and launched an investigation into the nature and scope of the activity with the assistance of third-party specialists. Through our investigation we determined that an unauthorized actor accessed certain computer systems in our network between March 7, 2023, and March 17, 2023, and downloaded certain files stored in those locations.”

The types of breached information is redacted from the notice, but according to ClassAction.org, the stolen information “may include the names and Social Security numbers of individuals associated with the company.” 

“To date, we are unaware of the actual misuse of this information as a result of the event,” EdisonLearning’s notice states.

At the time of the initial reporting of the ransomware group’s threat, EdisonLearning confirmed a cyber incident had occurred and said it could not divulge anything else. 

It is not clear whether the stolen data was ever posted on Royal’s dark web leak site because the gang's website has since been removed; in November 2023, CISA and the FBI said the Royal gang had hacked more than 350 known victims and demanded ransoms exceeding $275 million, adding that the group might be “rebranding” under the name Blacksuit.

EdisonLearning Director of Communications Michael Serpe confirmed in an email to THE Journal today that the impacted systems held corporate data but no student data.

“As noted last year at the time of the attack, the information accessed was only corporate-related data. No further specifics will be provided. Also, no student information was impacted since such information is not maintained on the corporate system,” Serpe said. “EdisonLearning has been working diligently with subject matter specialists, including legal counsel and forensic analysts, since the incident to investigate and confirm the scope of the potentially impacted data. Following the initial investigation, EdisonLearning undertook a comprehensive, time-intensive process to confirm precisely what information was involved, to identify the contact information for those individuals potentially impacted, and to provide notice in accordance with our relevant obligations. Additionally, we instituted a number of new internal security protocols, which we would rather not specify.”

ClassAction.org attorneys are asking individuals who received a notice stating they were impacted to contact them by completing an online form.

According to the ClassAction.org investigation announcement, EdisonLearning first sent a preliminary notice of the breach to its current employees on April 14, 2023, alerting them that they “may have been impacted by the incident.” 

The company began mailing written notices of the incident to other affected individuals on February 21, 2024, the same day the breach notification was posted on the Vermont AG’s website.

Based in Fort Lauderdale, Florida, EdisonLearning was founded in 1992 as the Edison Project to provide school management services for public charter schools and struggling districts in the United States and United Kingdom. 

According to an archived 2015 website page, EdisonLearning has managed hundreds of schools in 32 states, serving millions of students over the years. A 2012 EdisonLearning sales presentation viewed by THE Journal states that during the 2009–2010 school year, the company’s services were providing schooling for 400,000 children in 25 states, the U.K., and the United Arab Emirates. The information did not list the number of people employed by the company.

More recently, EdisonLearning has expanded to provide virtual schooling for middle and high school students as well as CTE courses for high school students, social-emotional learning courses for middle and high school, and more. The company operates its own in-house learning management system, called eSchoolware, and on its website touts other services such as “management solutions, alternative education, personal learning plans, and turnaround services for underperforming schools.”

Featured

  • A middle school student wearing safety goggles and a lab coat uses a microscope in a science lab, surrounded by beakers and test tubes filled with colorful liquids

    2025 Young Scientist Challenge Seeks Students Using Science to Solve Everyday Problems

    The entry period is now open for the 2025 3M Young Scientist Challenge, a science competition from 3M and Discovery Education for students in grades 5-8 recognizing individuals across the United States who have "demonstrated a passion for using science to solve everyday problems and improve the world around them."

  • reDesign Future9 report

    ReDesign Updates 9 Essential Competencies for K-12 Students

    ReDesign, a provider of support and resources for competency-based education, has updated its Future9 Competency Framework to reflect the essential skills K-12 students need today to thrive in their education and workforce journeys.

  • outline of a modern school building as glowing blue geometric shapes, surrounded by binary code streams, with golden orbs and lines representing funding, set against a dark gray gradient with faint grid patterns

    FCC Cybersecurity Pilot Participants Selected

    The Federal Communications Commission has officially selected the participants for its Schools and Libraries Cybersecurity Pilot, the three-year program exploring the use of Universal Service funds to improve school and library defenses against cyber attacks.

  • teacher

    6 Policy Recommendations for Adopting AI in the Classroom

    The Southern Regional Education Board's Commission on AI in Education has published six recommendations on adopting artificial intelligence in schools, colleges, and universities. The guidance marks the commission's first release since it was established last February, with more recommendations planned in the coming year.