Listen to this episode on Cybertraps.com, Apple Podcast, or your podcast platform of choice.

Show notes

News Item:

  • On December 28, 2021, Illuminate Education was hacked. The intrusion, which lasted until January 8, 2022, compromised the private data of nearly one million students in New York State (and maybe more)
  • The breach affected at least 24 school districts and 18 charter schools, along with one Board of Cooperative Educational Services (BOCES)
  • The company initially described the hack as an “attempted security incident” but then shut down both Skedula and PupilPath for more than a week to address the issue
  • Possibly the largest school data breach in U.S. history

What Is Illuminate Education?

  • A California-based edtech company (founded in 2009) that runs a variety of school information platforms, including Skedula (aka IO Classroom), PupilPath, and eduCLIMBER
  • From its website:

Our solution brings together holistic data and collaborative instructional tools, and puts them in the hands of educators.
As a result, they can visualize each student’s progress, determine the right instructional or intervention strategy, and take the best next action, moment-by-moment.
More than 17 million students and 5,200 districts and schools across all 50 states rely on Illuminate every day to move the student performance needle.

  • It does not have a NY state- or city-wide contract but it is an approved vendor, which means that it was “rigorously reviewed” by the IT Department for the state Department of Education
  • Schools use the platforms for a variety of purposes:
    ** tracking grades and attendance
    ** communicating with parents
    ** contact tracing for COVID–19
  • The company has earned about $5 million per year from NY schools

What Data Was Compromised?

  • A database containing a variety of personally identifying information, including:
    ** names
    ** birthdays
    ** ethnicities
    ** home languages
    ** student ID numbers of current and former public school students going back to the 2016–17 school year
    ** identities of special ed students
    ** class and teacher schedules
    ** identities of those receiving free lunch

Post-Incident Responses

  • Illuminate waited two months to formally notify the city.
  • Possible reasons:
    ** Avoid bad publicity and/or litigation
    ** Negotiating with hackers
    ** Avoid compromising investigation
  • Illuminate claimed that all student data is encrypted but the breach revealed that was not true
  • New York state law requires that student information be encrypted both “at rest or in motion”
  • The hack is still being investigated by the Dept. of Education, the New York Police Department, the FBI, and NYS Attorney General Leticia James
  • A school district in Connecticut also reported a breach, as did at least two in Colorado
  • New York State Education Department drafted a template for a letter/web page for parents
    ** Notification of “unauthorized release of such data”
    ** Notification of number of years of data affected (blank in template)
    ** A promise that more information will be provided

What Are the Risks?

  • Profound impact on the ability of schools to function
  • Identity Theft using dark web tools and resources
  • Credit damage to minors, who typically don’t monitor their credit

What Can Schools Do?

  • Make sure that their own house is in order
  • Updated security patches
  • Collaboration with other schools/districts
  • Ongoing review and utilization of state and federal resources
  • Consider bringing in outside security consultants
  • Review what student data is collected and whether doing so is mission-critical
  • Don’t just collect data because it is possible to do so
  • Make local backups of any data that is being transmitted to third-party vendors
  • Thoroughly vet third-party vendors who collect and store student data
  • Have they had security or data breach issues in the past?
  • Advocate for stronger regulation of data collection firms at both state and federal levels

What Can Parents Do?

  • Don’t ignore notices of potential data breaches
  • Change any passwords used by you or your children to interact with the school or the vendor platform(s)
  • Put a credit lock on child social security numbers
  • Take advantage of offers for complimentary credit monitoring for themselves and their children
  • Be wary of possible fraud – scam calls, phishing emails, etc.
  • Double-check by phone with school personnel about any online request for information
  • Talk to your children about possible misuse of their information
  • The price of digital data is eternal vigilance

Resources