California-based software company Illuminate Education recently became the target of a wave of criticism after an online hack compromised the personal information of about 820,000 current and former public school students in New York City.
Officials with the city’s Department of Education are calling the attack as likely the largest K-12 student information breach in the United States to date.
sources said the New York Post that the breach of Illuminate Education, which is used by the city’s Department of Education to track grades and attendance, resulted in a hacker gaining access to student names, birthdays, and ethnicities, as well as English language, special education, and free lunch status.
However, social security numbers and family financial information were not collected by the DOE and were not compromised, according to the sources.
The hack caused chaos earlier in the year when it forced a week-long shutdown of ratings and attendance systems in January.
According to reports from MessagesThe hacker or hackers are believed to have obtained private data dating back to the 2016-2017 school year.
Nathaniel Styer, a spokesman for the Department of Education, put the blame squarely on Illuminate’s shoulders. “We are outraged that Illuminate has represented to us and to the schools that industry-standard critical safety precautions required by law were in place when they were not,” Styer told outlets.
The city’s DOE has called on the New York City Police Department, the FBI and the state attorney general to investigate the incident, and has also requested that the state’s Department of Education investigate the Illuminate’s compliance with student privacy laws. “We understand the importance of families having confidence that their children’s privacy is being protected, and we are exploring ways to hold Illuminate accountable for violating that trust,” Styer added in the press statement.
Until now, Skedula and PupilPath – two online portals – have helped public educators keep track of student attendance and performance. The services are taxpayer-funded and are said to be top-down encrypted.
But officials at the city’s Department of Education don’t believe Illuminate Education has made safety levels fully transparent.
The recent hack revealed that there were parts of the company’s service that weren’t as protected as they had led their users to believe.
Illuminate has stated that it is working to prevent the problem from reoccurring.
“There is no evidence of fraudulent or illegal activity related to this incident,” Illuminate said in a press release, cited by The post. “The security of the data we hold in our custody is one of our top priorities and we have already taken important steps to prevent this from happening again.”
This isn’t the first time hackers have exploited online vulnerabilities in educational centers. Earlier this year, hackers targeted a New Mexico middle school, excluding teachers and students from its attendance records and class rolls. Administrators later discovered a ransomware attack that had blocked access to emergency contacts and other vital information.
During the COVID-19 pandemic, hacker groups like Russia-based group Ryuk launched similar attacks on facilities like hospitals rich in sensitive personal information. These attacks focused on shutting down hospital functions and forcing facilities to either pay or bypass the hack.
Illuminate is just the latest target in a series of hacking attacks that have targeted children, education and public services. Investigators have not yet identified the hacker or hackers responsible for the attack.