NEW YORK — Personal data for roughly 820,000 current and former New York City public school students was compromised in the hack of a widely used online grading and attendance system earlier this year, city Education Department officials said Friday, revealing what could be the largest-ever breach of K-12 student data in the United States.
Furious city Education Department officials are accusing Illuminate Education, the California-based company behind the popular Skedula and PupilPath platforms, of misrepresenting its cybersecurity measures by certifying that it encrypts all student data when in fact the company left some of it unencrypted.
The breach prompted a weekslong shutdown of grading and attendance systems in January, causing chaos at city schools. The hackers gained access to a database with the names, birthdays, ethnicities, home languages and student ID numbers of current and former public school students going back to the 2016-17 school year, Illuminate told the Education Department. Illuminate did not specify what categories of information were compromised for each of the 820,000 affected students.
The hackers also extracted information about whether students get special education services, class and teacher schedules, and whether kids receive free lunch, according to the Education Department.
The hack amounts to what is likely the largest-ever single breach of personal student data in the U.S., according to an expert who has tracked school cybersecurity incidents, and raises a host of new privacy questions for families and city schools.
“I can’t think of another school district that has had a student data breach of that magnitude stemming from one incident,” said Doug Levin, the national director of K12 Security Information Exchange, a group that has tracked cyberattacks targeting schools and education platforms since 2016.
There are roughly 930,000 students in the city public school system.
The compromised data falls into four categories: “biographic information,” which includes full names, birthdays, student ID numbers, ethnicity and language information; “special education information,” which discloses whether a student receives services for a disability; “sensitive information,” which relates to a student’s economic status; and “academic information,” which includes students’ assessment grades and the names of their teachers.
Illuminate didn’t break down how many students were affected by each category of data breach, other than disclosing that the hackers accessed economic status information for 15,000 students.
DOE spokesman Nathaniel Styer blasted Illuminate for allegedly fudging its cybersecurity protocols — and promised follow-up for families and schools.
“We are outraged that Illuminate represented to us and schools that legally required industry-standard critical safeguards were in place when they were not,” he said.
Styer said the DOE asked the NYPD, FBI and New York attorney general to investigate the initial hack, and requested that the state Education Department look into Illuminate’s compliance with student data privacy laws.
“We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust,” Styer added.
That Illuminate waited two months to formally notify the city of the breach “shows the company has been more concerned with protecting itself than protecting our students,” New York City Mayor Eric Adams said in a statement.
“This is completely unacceptable, and why we’ve asked the NYSED [state Education Department] to investigate Illuminate’s compliance with state law,” Adams said. “We will not tolerate bad actors in this city and plan to hold Illuminate fully accountable for not providing our students with the security and timely notification the company promised.”
In the coming weeks, the DOE said it will work with Illuminate to send the families of each of the roughly 820,000 students affected by the breach an individualized letter explaining what specific data was compromised. Illuminate will likely sponsor a credit-monitoring service for affected students, who may now be vulnerable to identity theft, education officials said.
“Certainly date of birth, names, that is sufficient to worry about that being obtained by criminal actors. I certainly think it would be appropriate credit monitoring would be offered to victims,” said Levin.
DOE officials said Illuminate has not disclosed any information about what, if anything, the hackers had done with the personal data, or whether the company paid a ransom.
Illuminate said in a statement that its investigation into “unauthorized access of our systems” found that “some personal information was involved. We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident.”
A DOE spokesman said Illuminate previously certified as part of a data privacy and security agreement that it was encrypting all of its personal student data, but admitted in conversations with the DOE following the hack that the compromised data was not encrypted, education officials said.
State law requires that “encryption ... must be in place when [personally identifiable student] data is stored or transferred.”
Levin said outside vendors like Illuminate that contract with schools have been the targets of an increasing number of cyberattacks — and don’t always have adequate security measures in place.
Personal data belonging to kids is especially valuable on the dark web because kids are less likely than adults to be monitoring for identity theft or credit fraud, Levin added.
“It is absolutely the case that criminals can open accounts for minors, and damage their creditworthiness even before they get out of elementary school,” he said.
That’s a big concern for Cynthia McKnight, the parent of a teenager at the Brooklyn Latin School who uses PupilPath for his grades.
“It’s shocking,” she said. “I have a family member who went through identity theft and it was horrible trying to correct ... we’re going to have to monitor his [my son’s] credit. I wasn’t expecting it so young.”
Illuminate said not all information stored in PupilPath and Skedula was compromised, according to the Education Department.
No specific data from students’ individual education plans, financial information or social security numbers were accessed, according to the DOE.
Levin said it’s difficult to determine without a detailed report “whether the company was negligent, or whether the DOE was negligent, or whether they had reasonable practices” and were unlucky victims.
Illuminate does not have any districtwide contracts with the city Education Department, but hundreds of individual public schools have their own deals with Illuminate and have paid the company more than $16 million since 2019.
Schools that use Skedula and PupilPath rely heavily on the systems to track grades and attendance, keep in touch with parents and even contact trace positive COVID-19 cases — which is why the weekslong outage caused such disruption for educators and families.
DOE officials said Illuminate has agreed to a review by the DOE and an independent monitor to verify its cybersecurity safeguards, and a spokesman said “we do not believe that it is in the best interest of school communities to remove this service and disrupt school operations during this school year.”
“For next school year, we are reviewing whether to allow the use of Illuminate products in our schools,” the spokesman added.