Incident & Breach Response
Probe Finds 1 Million Students’ Personal Details Stolen From Unencrypted Database
New York state officials have launched an investigation into a data breach involving a widely used digital education software platform that exposed protected, personal information for more than 1 million school-age children.
The breach occurred after an attacker accessed systems operated by Illuminate Education, a software platform designed for K-12 school districts that allows educators to track and report on a number of attributes, including grades, attendance and class schedules, as well as to communicate with parents.
Illuminate, which is based in Irvine, California, says its tools are used by 5,200 school districts and schools across all 50 states, encompassing more than 17 million students. The company reportedly earns about $126 million in annual revenue.
The company declined to comment on how many current and former students’ information has been exposed or how many schools or school districts have been affected. But it says its investigation is now complete and all the affected schools are being notified.
“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” a spokesperson tells Information Security Media Group. “We are in the process of notifying all customers that were affected and are working closely with customers to notify individuals who may be affected. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.”
Intrusion Began in December
In a breach notification to some affected families, Illuminate Education says it detected the data breach on Jan. 8 and immediately brought in third-party digital forensic experts to investigate. “On March 4, our investigation confirmed that certain databases, containing potentially protected student information were subject to unauthorized access between Dec. 28, 2021 and Jan. 8,” it says.
Signs that something might be amiss first came to light publicly Jan. 8, when Illuminate experienced an outage. In retrospect, this now appears to have been the company taking multiple applications offline – including IO Classroom, formerly known as Skedula, as well as IO Assessment, IO Insights, EduClimber, PupilPath and Compass – while it investigated the suspected intrusion.
The software is used by numerous school districts, in part to track K-12 students’ grades as well as to communicate with parents. Use of such tools has grown due to the COVID-19 pandemic and the switch to remote learning, as well as for snow days.
Illuminate Education’s chief operating officer, Scott Virkler, told ZDNet in January that the priority in the aftermath of a “security incident” was “to restore service as soon as possible and do everything in our power to help users.”
At that time, New York’s Department of Education reported that there was as yet no indication that student data had been exposed in the breach.
But as data breach investigations progress, investigators often find evidence that the breach is worse than it first seemed. In part, this is why security experts often recommend not rushing breach notifications – regulations or other rules permitting – so that the actual impact of the security incident and what victims should do to protect themselves can be ascertained first (see: Data Breach Notifications: What’s Optimal Timing?).
Unencrypted Database Breached
As investigators probed the Illuminate security breach, they discovered that an attacker had accessed personal data for some current and former students, dating back to the start of the 2016 school year.
Illuminate says the attacker did not directly access the platforms affected by the outage, but did access a database storing some information in unencrypted format from those platforms, reports threat intelligence firm Recorded Future’s The Record news site.
According to various breach notifications issued by affected schools, exposed information for each student included name, date of birth, gender, ID number, course enrollment and class schedules, among other details. For some schools, exposed information also reportedly included whether a student received special education services or free lunches.
On Thursday, education technology media site THE Journal reported that a Freedom of Information Request it filed with the New York State Education Department revealed that 565 schools in the state – out of 4,400 in total – were affected by the breach, with information being exposed for more than 1 million current and former students.
New York state officials told THE Journal that the information had come via Illuminate, in part because technology choices are left to individual school districts or schools. Hence state officials had no master list of who was using Illuminate Education products.
Colorado and Connecticut Schools Also Affected
NBC affiliate KOAA News5 this week reported that at least three Colorado school districts – 12, 51 and 70 – were also affected, and parents recently received data breach notification letters.
Colorado’s Mesa County Valley School District 51, which currently enrolls about 21,000 students, told families on April 22: “The databases impacted by the unauthorized access may have included student names, academic and behavior information, enrollment information, accommodation information, special education information and demographic information. Social Security numbers and financial information was not part of the breach.”
Another affected school district: Connecticut’s Coventry Public Schools, which said that “affected families will be receiving a mailing from Illuminate Education offering those children complimentary access to 12 months of identity monitoring services through IDX.” The school district has a current enrollment of about 1,650 students.
New York Orders Victim Notification
The New York State Education Department has instructed all affected schools to notify all parents or guardians of current students affected by the breach and – whenever possible – to alert former students who may have been affected.
New York state law says that “where a breach or unauthorized release is attributed to a third-party contractor, the third-party contractor shall pay for or promptly reimburse the educational agency for the full cost of the notifications.”
New York state officials and Illuminate didn’t immediately respond to requests for how those costs are being tracked or reimbursed.
THE Journal reports that New York state is probing the data breach. Under New York State Education Law 2-D, any third-party contractor who violates the state’s data privacy law “shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher and principal whose data was released,” up to a current maximum of $150,000.