The software that many school districts use to track student progress can record highly sensitive information about children: “Intellectual Disability.” “Emotional disorder.” “Homeless.” “Disturbing.” “In spite of.” “Perpetrator.” “Excessive talking.” “Should take tutoring.”
Now those systems are being compromised following a recent cyberattack on Illuminate Education, a leading provider of student tracking software, that affected the personal information of more than a million current and former students in dozens of counties — including New York City and New York , taking a closer look at Los Angeles, the nation’s largest public school system.
Officials said in some counties, the data included students’ names, dates of birth, race or ethnicity, and test scores. At least one district said the data included more intimate information such as student tardiness rates, migrant status, behavioral incidents and descriptions of disabilities.
Disclosing such private information could have long-term consequences.
“If you’re a bad student and you’ve had disciplinary issues and that information is out there now, how do you recover from it?” said Joe Green, a cybersecurity researcher and parent of a high school student in Erie, Colorado, whose high school was affected by the hack. “It’s your future. It’s about going to college, getting a job. It’s all.”
Over the past decade, tech companies and education reformers have pushed schools to adopt software systems that can catalog and categorize students’ outbursts, absenteeism, and learning problems in the classroom. The intent of such tools is well-intentioned: to help educators identify and intervene with at-risk students. However, as these student tracking systems have proliferated, cyberattacks on school software vendors have also proliferated — including a recent hack that affected Chicago Public Schools, the country’s third-largest district.
Now, some cybersecurity and privacy experts say the cyberattack on Illuminate Education is tantamount to a warning to industry and government regulators. While it wasn’t the biggest hack of an ed-tech company, these experts say they’re concerned about the nature and scope of the data breach — which in some cases affected sensitive personal details about students or student records — spanning more than a decade pass back . At a moment when some education technology companies have been collecting sensitive information about millions of school children, safeguards for student data seem woefully inadequate.
“There really was an epic failure,” said Hector Balderas, the New Mexico attorney general, whose office has sued tech companies for infringing on the privacy of children and students.
In a recent interview, Mr. Balderas said that Congress has failed to enact modern, meaningful student privacy regulations, while regulators have failed to hold ed-tech companies accountable for disregard for student privacy and security draw.
“There is absolutely an enforcement and accountability gap,” Mr Balderas said.
In a statement, Illuminate said it had “no evidence that information was misused or attempted” and that it had “implemented security improvements to prevent further cyberattacks.”
Almost a decade ago, privacy and security experts began warning that the proliferation of sophisticated data-mining tools in schools was rapidly overtaking the protection of students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student privacy and safety laws. In 2014, dozens of K-12 education technology providers signed a national Student Privacy Pledge, pledging to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which monitors fraudulent privacy practices, can bind companies to their commitments. President Obama backed the pledge and praised the participating companies in a major privacy speech at the FTC in 2015.
The FTC has long fined companies for violating children’s privacy on consumer services like YouTube and TikTok. Despite numerous reports from ed-tech companies with problematic privacy and security practices, the agency has yet to enforce the industry promise on student privacy.
In May, the FTC announced that regulators plan to crack down on ed-tech companies that violate a federal law — the Children’s Online Privacy Protection Act — that protects online services for children under 13 committed to their personal data. The agency is conducting a series of closed investigations into ed tech companies, said Juliana Gruenwald Henderson, an FTC spokeswoman.
Based in Irvine, California, Illuminate Education is one of the nation’s leading providers of student tracking software.
The company’s website says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance tracking system and online gradebook, as well as a school platform called eduCLIMBER, which allows educators to capture students’ “social-emotional behavior” and green-label (“on track”) or color-code children red (“off course”).
Illuminate has promoted its cyber security. In 2016, the company announced that it had signed the industry pledge to demonstrate its “support for protecting” student data.
Concerns about a cyberattack surfaced in January after some teachers in New York schools found their online attendance and gradebook systems were no longer working. Illuminate said it temporarily took those systems offline after becoming aware of “suspicious activity” on part of its network.
On March 25, Illuminate notified the district that certain corporate databases had been exposed to unauthorized access, said Nathaniel Styer, the press secretary for New York City Public Schools. The incident, he said, affected about 800,000 current and former students in around 700 local schools.
For affected New York City students, the data included first and last names, school name, and student ID number, as well as at least two of the following: date of birth, gender, race or ethnicity, native language, and class information such as teacher name. In some cases, students’ disability status was also affected – that is, whether or not they received special education services.
New York City officials said they were outraged. In 2020, Illuminate signed a strict data agreement with the district, committing the company to protecting student data and immediately notifying district officials in the event of a data breach.
City officials have asked the New York City Attorney’s Office and the FBI to investigate. In May, the New York City Department of Education, which is conducting its own investigation, ordered local schools to stop using Illuminate products.
“Our students deserved a partner focused on proper security, but instead their information has been put at risk,” Mayor Eric Adams said in a statement to The New York Times. Mr Adams added that his administration is working with regulators “as we urge to hold the company fully accountable for failing to provide our students with the assurances that were promised”.
The Illuminate hack affected another 174,000 students in 22 school districts across the state, according to the New York State Education Department, which is conducting its own investigation.
Over the past four months, Illuminate has also notified more than a dozen other districts — in Connecticut, California, Colorado, Oklahoma and Washington state — about the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it worked with outside experts to investigate the security incident and concluded that student information “may have been the subject of unauthorized access” between December 28, 2021 and January 8, 2022. The statement said Illuminate has five full-time employees dedicated to security operations.
Illuminate maintains student data on Amazon Web Services’ online storage system. Cybersecurity experts said many companies have inadvertently made their AWS storage buckets easy for hackers to find – by naming databases after company platforms or products.
In the wake of the hack, Illuminate said it hired six additional full-time security and compliance staff, including a chief information security officer.
Following the cyberattack, the company also made numerous security upgrades, according to a letter from Illuminate to a Colorado school district. Among other changes, the letter states, Illuminate has introduced continuous third-party monitoring on all of its AW.S. Accounts and now enforces improved login security on its AWS files.
But during an interview with a reporter, Greg Pollock, the vice president of cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s AWS buckets with an easy-to-guess name. The reporter then found a second AWS bucket named after a popular Illuminate platform for schools.
Illuminate said it could not provide details on its security practices “due to security concerns.”
After a spate of cyberattacks on ed-tech companies and public schools, education officials said it was time for Washington to step in to protect students.
“Federal changes are overdue and could have immediate and statewide implications,” said Mr. Styer, the New York Schools spokesman. For example, Congress could amend the federal privacy rules for educational institutions to impose data security requirements on school providers, he said. That would allow federal agencies to levy fines on companies that don’t comply.
An agency has already cracked down – but not on behalf of the students.
Last year, the Securities and Exchange Commission charged Pearson, a major provider of school assessment software, with misleading investors over a cyberattack that stole the birth dates and email addresses of millions of students. Pearson agreed to pay $1 million to settle the charges.
Mr Balderas, the attorney general, said he was angry that financial regulators acted to protect investors in the Pearson case – even as privacy regulators failed to speak up on behalf of schoolchildren who have been victims of cybercrime.
“My concern is that there will be bad actors who will take advantage of a public school environment, especially if they think the technology protocols aren’t very robust,” Balderas said. “And I don’t know why Congress isn’t scared yet.”