Personal data for roughly 820,000 current and former New York City public school students was compromised in the hack of a widely used online grading and attendance system earlier this year, city Education Department officials said Friday, revealing what could be the largest-ever breach of K-12 student data in the U.S.
Furious city Education Department officials are accusing Illuminate Education, the Irvine-based company behind the popular Skedula and PupilPath platforms, of misrepresenting its cybersecurity measures by certifying that it encrypts all student data when in fact the company left some of it unencrypted.
The breach prompted a weekslong shutdown of grading and attendance systems in January, causing chaos at city schools. The hackers gained access to a database with the names, birthdays, ethnicities, home languages and Student ID numbers of current and former public school students going back to the 2016-17 school year, Illuminate told the Education Department.
Illuminate did not specify what categories of information were compromised for each of the 820,000 affected students.
The hackers also extracted information about whether students get special education services, class and teacher schedules, and whether kids receive free lunch, according to the Education Department.
The hack amounts to what is likely the largest-ever single breach of personal student data in the U.S., according to an expert who has tracked school cybersecurity incidents, and raises a host of new privacy questions for families and city schools.
“I can’t think of another school district that has had a student data breach of that magnitude stemming from one incident,” said Doug Levin, the national director of K12 Security Information Exchange, a group that has tracked cyberattacks targeting schools and education platforms since 2016.
There are roughly 930,000 students in the city public school system.
The compromised data falls into four categories: “biographic information,” which includes full names, birthdays, student ID numbers, ethnicity and language information; “special education information,” which discloses whether a student receives services for a disability; “sensitive information,” which relates to a student’s economic status; and “academic information,” which includes students’ assessment grades and the names of their teachers.
Illuminate didn’t break down how many students were affected by each category of data breach, other than disclosing that the hackers accessed economic status information for 15,000 students.
DOE spokesman Nathaniel Styer blasted Illuminate for allegedly fudging its cybersecurity protocols — and promised follow-up for families and schools.
“We are outraged that Illuminate represented to us and schools that legally required industry-standard critical safeguards were in place when they were not,” he said.
Styer said the DOE asked the NYPD, FBI and New York Attorney General to investigate the initial hack, and requested that the state Education Department look into Illuminate’s compliance with student data privacy laws.
“We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust,” Styer added.
In the coming weeks, the DOE said it will work with Illuminate to send the families of each of the roughly 820,000 students affected by the breach an individualized letter explaining what specific data was compromised. Illuminate will likely sponsor a credit-monitoring service for affected students, who may now be vulnerable to identity theft, education officials said.
“Certainly date of birth, names, that is sufficient to worry about that being obtained by criminal actors. I certainly think it would be appropriate credit monitoring would be offered to victims,” said Levin.
DOE officials said Illuminate has not disclosed any information about what, if anything, the hackers had done with the personal data, or whether the company paid a ransom.Illuminate said in a statement that its investigation into “unauthorized access of our systems” found that “some personal information was involved. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident.”