- The New York City Department of Education recently discovered a malicious actor gained unauthorized access to the personally identifiable information of about 820,000 current and former public school students. The compromised data includes students’ names, birthdays, gender, ethnicity, home language, special education status, socioeconomic status and some academic information.
- The department said in a statement the breach occurred as part of a January cyberattack on vendor Illuminate Education, a California-based company that provides software to track grades and attendance.
- Illuminate promised the department it would encrypt student information in a data privacy and security agreement with the district, but the department said Illuminate had not done so during the January breach. The alleged contractual and legal violation is now under investigation by the New York State Education Department’s chief privacy officer, the NYC DOE said.
This breach is one of the largest to impact a single district, said Doug Levin, national director of nonprofit K12 Security Information Exchange, which works to protect K-12 schools from cyberattacks.
There are still many unknowns about this incident because Illuminate has not been forthcoming with details of the attack, Levin said. It’s unclear if the breach occurred in an act of negligence or if Illuminate was merely a victim of the cyberattack, he said.
Illuminate said in a statement it’s in the process of notifying customers who may have been affected by unauthorized access to personal information. The vendor said there is no related evidence of any fraudulent or illegal activity and added that it does not store financial information or Social Security numbers.
Even so, the New York City Department of Education will be working to independently verify claims that Illuminate has increased its security protections, said NYC Schools Chancellor David Banks in a statement.
“We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not. We have demanded and will be independently verifying claims that Illuminate has increased protection,” Banks said. ”We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust.”
The incident is also another indicator of a trend Levin has noticed for a while in which vendors providing services to schools are at greater risk for cyber incidents. In fact, school district vendors were “responsible,” as the entry point, for 55% of K-12 data breaches between 2016 and 2021, a recent K12 SIX report found.
Given the frequency vendors are found responsible for these attacks, the report recommends suppliers and vendors in the K-12 sector improve their cybersecurity practices.
Other districts have looked out for certifications or included addendums to contracts to ensure vendors follow certain data privacy practices, Levin said. Many states have their own student data privacy laws to address this as well.. Districts can also look out for services that rate other vendors’ cybersecurity practices, he said.
There need to be stronger procurement requirements among districts, said Julia Fallon, executive director of the State Educational Technology Directors Association.
Districts need to be more selective and careful about what data should be collected moving forward, she said. Districts should also avoid “collecting data for the sake of collecting data,” she said. Just because districts have been in the habit of collecting a lot of data in the past, Fallon said that doesn’t mean it should be repeated or the information collection is always necessary.