On December 28, 2021, Illuminate Education was hacked. The intrusion, which lasted until January 8, 2022, compromised the private data of nearly one million students in New York State (and maybe more)
The breach affected at least 24 school districts and 18 charter schools, along with one Board of Cooperative Educational Services (BOCES)
The company initially described the hack as an “attempted security incident” but then shut down both Skedula and PupilPath for more than a week to address the issue
Possibly the largest school data breach in U.S. history
What Is Illuminate Education?
A California-based edtech company (founded in 2009) that runs a variety of school information platforms, including Skedula (aka IO Classroom), PupilPath, and eduCLIMBER
From its website:
Our solution brings together holistic data and collaborative instructional tools, and puts them in the hands of educators.
As a result, they can visualize each student’s progress, determine the right instructional or intervention strategy, and take the best next action, moment-by-moment.
More than 17 million students and 5,200 districts and schools across all 50 states rely on Illuminate every day to move the student performance needle.
It does not have a NY state- or city-wide contract but it is an approved vendor, which means that it was “rigorously reviewed” by the IT Department for the state Department of Education
Schools use the platforms for a variety of purposes:
** tracking grades and attendance
** communicating with parents
** contact tracing for COVID–19
The company has earned about $5 million per year from NY schools
What Data Was Compromised?
A database containing a variety of personally identifying information, including:
** home languages
** student ID numbers of current and former public school students going back to the 2016–17 school year
** identities of special ed students
** class and teacher schedules
** identities of those receiving free lunch
Illuminate waited two months to formally notify the city.
** Avoid bad publicity and/or litigation
** Negotiating with hackers
** Avoid compromising investigation
Illuminate claimed that all student data is encrypted but the breach revealed that was not true
New York state law requires that student information be encrypted both “at rest or in motion”
The hack is still being investigated by the Dept. of Education, the New York Police Department, the FBI, and NYS Attorney General Leticia James
A school district in Connecticut also reported a breach, as did at least two in Colorado
New York State Education Department drafted a template for a letter/web page for parents
** Notification of “unauthorized release of such data”
** Notification of number of years of data affected (blank in template)
** A promise that more information will be provided
What Are the Risks?
Profound impact on the ability of schools to function
Identity Theft using dark web tools and resources
Credit damage to minors, who typically don’t monitor their credit
What Can Schools Do?
Make sure that their own house is in order
Updated security patches
Collaboration with other schools/districts
Ongoing review and utilization of state and federal resources
Consider bringing in outside security consultants
Review what student data is collected and whether doing so is mission-critical
Don’t just collect data because it is possible to do so
Make local backups of any data that is being transmitted to third-party vendors
Thoroughly vet third-party vendors who collect and store student data
Have they had security or data breach issues in the past?
Advocate for stronger regulation of data collection firms at both state and federal levels
What Can Parents Do?
Don’t ignore notices of potential data breaches
Change any passwords used by you or your children to interact with the school or the vendor platform(s)
Put a credit lock on child social security numbers
Take advantage of offers for complimentary credit monitoring for themselves and their children
Be wary of possible fraud – scam calls, phishing emails, etc.
Double-check by phone with school personnel about any online request for information
Talk to your children about possible misuse of their information