Update of June 15: For updates on this incident, your best resource is Kristal Kuykendall and THE Journal . Hats off to Kristal Kuykendall and THE Journal for tracking the Illuminate Education breach. Kykendall reports: The breach of student data that occurred during a January 2022 cyberattack targeting Illuminate Education’s systems is now known to have impacted the nation’s second-largest school district, Los Angeles Unified with 430,000 students, which has notified state officials along with 24 other districts in California and one in Washington state. The data breach notifications posted on the California Attorney General’s website in the past week by LAUSD, Ceres Unified School District with 14,000 students, and Riverside County Office of Education representing 23 districts and 431,000 students, mean that Illuminate Education’s data breach leaked the private information of well over 3 million students — and potentially several times that total. Read more at THE Journal.
New York State Education Department has addressed the Illuminate data breach in a notice on the state’s site that advises school districts that they must make their best effort to contact all students, including former students for whom they have addresses. They are also advising districts to keep records of who they notified and who they attempted to notify. This strikes me as quite unusual. Here is the state’s notice and sample website statement for districts to also use. Dear DPOs and school officials: Guidance from the New York State Education Department’s Privacy Office regarding the notification of former students is that each educational agency must do the best it can to notify all students, current and former, regarding the Illuminate Education breach. Therefore, each educational agency must notify all former students for whom it has any address or location information, including an email address. Additionally, it is advised that each educational agency maintain a list of the current students’ parent/guardians and former students it attempted to notify individually. Finally, a notice on the educational agency’s web page is appropriate because of the past years the breach includes. Below is a sample web page notification that you might choose to use when notifying the parents/guardian of current students, eligible students and in this case former students as well as potentially, teachers and principals, about the Illuminate Education breach. As a reminder Education Law 2-d (6)(c) and Commissioner’s regulations § 121.10(f) state that where a breach or unauthorized release is attributed to a third party contractor, the third party contractor shall pay for or promptly reimburse the educational agency for the full cost of the notifications. Sample Web Page Notification Regarding Illuminate Education Breach Dear Parent/Guardian, eligible students and former students and teachers and principals (where applicable): In accordance with State Education Law 2-d we are required to notify you when a third-party contractor that receives student data or teacher or principal data pursuant to a contract or written agreement with us had an unauthorized release of such data. As such, this notice is to inform you that Illuminate Education, an educational software company which products are used in our school district/charter school, has informed us that some databases containing potentially protected student information were subject to unauthorized access between December 28, 2021, and January 8, 2022. The Illuminate Education products used by our school district/charter school are/were______________________________. According to Illuminate Education the affected databases included names, demographic and academic information. The data accessed pertains to the following school years, _________ (insert years). Affected current students and former students for which we have contact information, teachers and principals where applicable will receive a letter from us/Illuminate Education with more information on the information accessed. [If using Illuminate notification, consider referencing identity monitoring offered by Illuminate Education.] If you are a former student and would like additional information, please contact us at (phone number) or be email at (email address), so that we may send you a letter with additional information on the data accessed. Student privacy is of the utmost importance to our school district/charter school and we are therefore monitoring this incident closely and will keep you apprised if there are changes to the situation.
Benjamin Freed reports: A school district in Coventry, Connecticut, notified families of its students this week that students’ data may have been swept up in a breach of one of its vendors earlier this year. The breach-notification letter, dated Tuesday, stated that data belonging to the roughly 1,700 students enrolled in Coventry Public Schools may have been exposed in a January breach of Illuminate Education, a software company that develops software that tracks students’ academic progress. The Illuminate product in question, called eduCLIMBER, is used by school districts to track students’ grades, attendance and behavioral development, according to the company’s website. Read more at StateScoop. But it’s not just the NYC schools and a district in Connecticut that have been impacted. Cristian Sida reports from Colorado: A third-party company, Illuminate Education, that holds student data for school districts nationwide, including Mesa County Valley School District 51, experienced a data breach. Illuminate Education confirmed in an investigation specific databases containing student information were breached between Dec. 28, 2021, and Jan. 8, 2022. Read more at NBC11. How many more school districts have been impacted? Probably a lot although we may not find out about them all. Follow @DougLevin and @K12CyberMap as they are tracking this incident.
Natalie Chuck reports that another district in Colorado has sent letters to parents about the breach at Illuminate Education that impacted more than 820,000 students in New York City as well as 24 other districts and 18 charter schools in NY: Someone, somewhere knows details about thousands of students in southern Colorado after a data breach through a separate organization occurred earlier this year. On Tuesday, District 70 sent parents a letter outlining the details of the breach which happened through Illuminate Education, a vendor the district uses. District 12 sent a similar letter to parents on April 29. Read more at KOAA, where you will also see the district’s letter. Other Colorado school districts are also notifying parents, as 9News reported, including Douglas County and Mesa County Valley School District 51: Mesa County Valley School District 51 in Grand Junction was among the other Colorado districts affected by the breach, the district said in an update April 22. That district said the databases impacted may have included student names, academic and behavior information, enrollment information, accommodation information, special education information, and demographic information. And we also saw reports on Fairfield and Lakota schools in Ohio.</strike> I think the remainder of this one will be not the shock of any breach, but tracking how long it is taking districts to find out and then notify parents. And of course, we can expect to see a large national total for this one — and likely a number of lawsuits, because hey, this is America. Update: We now have some data from New York State, thanks to public records request by THE Journal. Correction: Thanks to Doug Levin who caught my error in listing two Ohio districts. Those districts were affected by the Battelle for Kids breach, not the Illuminate Education one!
Michael Elsen-Rooney reports: Personal data for roughly 820,000 current and former New York City public school students was compromised in the hack of a widely-used online grading and attendance system earlier this year, city Education Department officials said Friday, revealing what could be the largest-ever breach of K-12 student data in the U.S. Furious city Education Department officials are accusing Illuminate Education, the California-based company behind the popular Skedula and PupilPath platforms, of misrepresenting its cybersecurity measures by certifying that it encrypts all student data when in fact the company left some of it unencrypted. Read more at NY Daily News. h/t, @Bmaz