The major cyberattack that ensnared New York City Public Schools is now known to have affected the Los Angeles Unified School District — thus affecting the nation's two largest school systems. To date, the data breach from the cyberattack on Illuminate Education has reached districts in at least six states: Colorado, Connecticut, California, New York, Oklahoma and Washington.
The LAUSD data breach occurred in December and January, and was reported May 20, according to the California Department of Justice. But no further details were provided as to how many students' information was compromised or the type of data that had unauthorized access.
- As more districts continue to discover that the Illuminate Education data breach has affected them, the New York City Department of Education recently confirmed that NYC schools stopped using Illuminate Education products following the data compromise of about 820,000 of its current and former public school students.
The LAUSD notification regarding the data breach at Illuminate Education, a California-based company that provides software to track grades and attendance, means the top three largest school districts in the nation — Chicago, NYC and Los Angeles — have all recently been impacted by vendor-related data breaches.
Chicago Public Schools learned in May it faced a data breach in a separate incident that compromised the information of nearly 500,000 student records after a December ransomware attack on nonprofit ed tech provider Battelle for Kids.
LAUSD did not respond to a request for comment on Friday about the Illuminate Education data breach.
Illuminate Education’s products reach 17 million students in 5,200 schools and districts nationwide, according to its website.
There are likely more surprises from the Illuminate Education data breach still to be revealed, said Doug Levin, national director of K12 Security Information Exchange, or K12 SIX, a nonprofit organization that aims to protect schools from cybersecurity threats.
“Every new incident that we learn about continues to raise tough questions for Illuminate Education about this incident and their security practices,” Levin said.
The NYC Department of Education said Illuminate Education promised it would encrypt student information in a data privacy and security agreement with the district. However, the department said the vendor did not do so when the cyberattack happened in January.
Illuminate said in a previous statement there was no evidence of any fraudulent or illegal activity. The company also said it does not store financial information or social security numbers.
Levin also noted NYC cutting ties with Illuminate Education following the data breach should be a “warning shot” for ed tech companies and their investors.
“This is a very strong statement by a very large district,” he said. “It suggests to me that going forward, whether it is entirely fair or not, districts are going to be holding their vendors to account for reasonable security practices."