Illuminate Education Data Breach Impacted At Least 24 Districts, 18 Charter Schools in NY; Investigation Launched – T.H.E. Journal


Did you know that camDown helps stop foreign state actors (FSA's) from accessing your webcam?

Student Data Breach

Illuminate Education Data Breach Impacted At Least 24 Districts, 18 Charter Schools in NY; Investigation Launched

New York State Education Official Says 'At Least' 1 Million NY Students Impacted

  • By Kristal Kuykendall
  • 05/03/22

At least 24 school districts and 18 charter schools in New York — totaling “at least” a million students in the state — were impacted by the breach of private student data that occurred during a January cyberattack on Illuminate Education’s systems, and the New York State Education Department has launched an investigation into the data breach, a NYSED official told THE Journal.

The breach compromised the student data of at least 24 school districts and 18 charter schools in New York, plus one Board of Cooperative Educational Services, according to the information received thus far by NYSED, Deputy Director of Communications J.P. O’Hare told THE Journal via email. Each of New York’s 37 BOCES includes numerous school districts serving dozens of cities and towns, allowing all but the state’s largest five districts to share educational services and realize cost savings in purchasing software and equipment.

The exact number of New York students impacted by the data breach was not readily available, O’Hare said: “According to the information that NYSED has obtained to date, at least 1 million New York State students have been impacted.” THE Journal filed a Freedom of Information request for the list of impacted schools and districts but has not yet received a response.

O’Hare’s email came in response to questions from THE Journal about a data breach notification letter template that NYSED posted on its website to guide New York schools in telling parents about their students’ private data being compromised during the Illuminate cyberattack.

The districts previously known to have been impacted by the Illuminate Education data breach included three: New York City schools, which said about 820,000 current and former students’ data was compromised; Coventry Public Schools in Connecticut, with enrollment of about 1,650; and Mesa County Valley School District 51 in Grand Junction, Colo., with enrollment of about 21,000.

Because districts and BOCES schools make decisions locally about which software to use in their schools, NYSED is not yet certain how many schools use any of Illuminate Education solutions — all of which were off-line for a week or more during the January cyberattack, according to its service status site. The company’s website states that its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

New York law requires any third-party contractor with access to student data to encrypt the student data “at rest and in motion,” O’Hare said, citing Education Law §2-d and Commissioner of Education regulations 8 NYCRR §§ 121.3 (c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes NYSED’s Chief Privacy Officer to “investigate and potentially impose civil penalties; order that a third party contractor be precluded from accessing student data from the educational agency with which it contracted, or the state of New York; determine that a third-party contractor is not a responsible bidder; and/or require the third party contractor to provide training,” O’Hare explained.

“NYSED privacy office has undertaken an investigation of the Illuminate Education breach,” he told THE Journal. “As part of that investigation, NYSED’s privacy office has asked all school districts and charter schools to complete a survey providing information as to what Illuminate Education products, if any, were or are used by the school.”

The investigation began on April 1, O’Hare said.

What New York’s Law Says About Disclosure & Why It Matters

New York’s Education Law §2-d, strengthened to protect student data privacy in 2019, states that if a civil penalty is levied against a third-party contractor following an investigation by NYSED’s privacy office, the civil penalty will be “up to $10 per affected student, teacher, and principal.” The law also requires that affected schools must be notified of any data breach “without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.” After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify (NYSED) within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery.”

For months after the cyberattack took its school software off-line, Illuminate remained quiet; then in March, the company notified New York City Schools that the personal information of about 820,000 current and former students had been compromised back in January. New York school officials told the New York Post at the time that they were asking state and federal authorities to investigate, accusing Illuminate of failing to encrypt student data kept on its servers — even though the company had previously told the district it was meeting such legal requirements for data protection.

Illuminate Education told THE Journal in response to emailed questions about the NYC data breach that the students’ data was compromised during the January cyberattack, but the company declined to confirm how many students or districts beyond New York City’s were also impacted by the breach and now at risk of identity theft. Illuminate has not responded to multiple follow-up emails and phone calls seeking more information.

I know that camDown is easy to use, easy to maintain and I am sure your father would feel the same!