NYC officials call for investigation after data of 820,000 students compromised in hack
New York City’s mayor and several education officials said they are outraged after a digital education platform used by dozens of city schools disclosed that hackers gained access to the personal information of 820,000 current and former students during a January breach.
Illuminate Education – which owns popular school management platforms IO Classroom, Skedula, and Pupilpath – told The Record that it recently completed an investigation into a January outage that left parents, teachers and administrators angered for weeks.
New York City teachers use the platforms extensively to communicate with parents and check grades for each student. The outages came at a particularly inopportune time as officials managed the peak of a COVID-19 surge, snow days and other issues affecting the school year.
At the time, Illuminate Education confirmed it was dealing with a “security incident” but they and the NYC Department of Education denied that any data was leaked.
In a statement to The Record on Monday, Illuminate Education said personal information was involved in the hack and they are in the process of notifying those who may have been affected.
“The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again,” a spokesperson for the company said.
That did little to assuage incensed New York City officials, who are now saying the company may have broken state laws in its handling of the data breach.
New York City Mayor Eric Adams and NYC Schools Chancellor David Banks told The Record that the New York State Education Department has been asked to investigate the incident alongside several other agencies.
“The formal notification of a breach of students’ data by Illuminate after two months shows the company has been more concerned with protecting itself than protecting our students. This is completely unacceptable, and why we’ve asked the NYSED to investigate Illuminate’s compliance with state law,” Adams said in a statement The Record.
“We’ve also asked the NYPD, the New York Attorney General’s Office, and the FBI to investigate the actions of those who illegally accessed this data. We will not tolerate bad actors in this city and plan to hold Illuminate fully accountable for not providing our students with the security and the timely notification the company promised.”
City officials said Adams was briefed on the possibility of a breach and gave a deadline for the company to provide a formal notification or face “alternate consequences.”
Banks confirmed that state officials are investigating the situation and said city officials will be independently verifying claims that Illuminate has increased its data security protections.
“We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not,” Banks told The Record.
“We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust.”
Student data leaked
Officials at the NYC Department of Education explained that the breach was part of the incident that resulted in an interruption of service in January 2022 across all of the Illuminate products used by the city.
They said that despite requests for more information, Illuminate has not provided them with key details from their investigation of the outage and breach.
Illuminate has claimed – in statements to The Record and in its communications with city officials – that not all types of student records it holds and not all data that schools share with it were accessed by the hacker.
The hacker did not have access to IO Classroom, Skedula and Pupilpath even though the outage affected those platforms, according to Illuminate. But data from each platform was included in the database that the hacker did break into, including names, birthdates, state student ID numbers, genders, ethnicities, languages spoken and more.
Some students in special education programs and the Individualized Education Program (IEP) also had their information leaked. The database also included information on whether a student is socio-economically disadvantaged and whether the student participates in the National School Lunch Program.
Every student profile in the database had information about which teachers they have, what courses they take, their grades and more. Social Security numbers and family financial account information were not included in the database.
City officials said Illuminate still has not given them enough information to verify how many students had certain kinds of personal information accessed. There are about 930,000 students in the NYC public school system.
Records obtained by The New York Post indicate the company has made $16 million from Department of Education schools in the last three years. Illuminate made several promises to the New York City Department of Education about its data privacy and security practices, city officials told The Record.
The agreement initially signed by the city and Illuminate includes clauses mandating the encryption of student data both in transit and at rest, they said, adding that encryption is specifically required by New York State’s Education Law.
The NYC Department of Education also required Illuminate to go through a data security assessment, which began in 2019.
But city officials have revealed that in communications about the outage, Illuminate admitted it did not encrypt student information while the data was at rest.
“Given this contractual and legal violation, we have referred this matter to NYSED’s Chief Privacy Officer for investigation, as she has the authority to launch an investigation of companies that violate these legal provisions,” a NYC Department of Education official told The Record.
”We have demanded that Illuminate provide us with information concerning which students were impacted and the full extent of their data that was accessed as part of the breach. In the coming weeks families will receive a letter with more information about what personally identifiable information was accessed and what steps Illuminate is taking to rectify the situation and how to access identity monitoring paid for by Illuminate.”
Officials call for audits
City officials are also demanding a review of Illuminate’s safeguards after the company claimed it has improved its security measures.
Illuminate has agreed to undergo a second data security assessment that will be done by the NYC Department of Education and another by an independent company.
Despite everything that has happened, city officials said they “do not believe that it is in the best interest of school communities to remove this service and disrupt school operations during this school year.”
“For next school year, we are reviewing whether to allow the use of Illuminate products in our schools,” NYC Department of Education officials said.
“We are proceeding with a full review of DOE vendor data security policies. This review will put in place additional measures to ensure any vendor working with DOE student data can independently verify that their data safeguards meet industry standards and meet what is legally required.”
Illuminate representatives did not respond to requests for comment about claims that they violated state law.