Personal Data of 820,000 NYC Students Exposed

A widely used online grading and attendance system has been hacked, causing what could be the largest ever exposure of students’ personal data in American history. 

Cyber-criminals broke into the IT systems of Illuminate Education in January, gaining access to a database containing the personal data of around 820,000 current and former New York City public school students. 

Illuminate Education is a taxpayer-funded software company based in California. The company created the popular IO Classroom, Skedula and PupilPath platforms, used by New York City’s Department of Education to track grades and attendance.  

The hack, which involved information dating back to the 2016-17 school year, was announced by the Department on Friday. Data compromised in the incident included students’ names, birthdates, ethnicities, home languages and student ID numbers.

The Department said that the attackers had exfiltrated class and teacher schedules and data regarding which students received free lunches or special education services.

K12 Security Information Exchange has tracked cyber-attacks targeting schools and education platforms since 2016. The group’s national director, Doug Levin, said: “I can’t think of another school district that has had a student data breach of that magnitude stemming from one incident.”

Illuminate’s grading and attendance platform was shut down for weeks after the hack was detected, causing disruption to city schools. The company waited two months to formally notify the city of the breach.

Education officials are now accusing Illuminate of misrepresenting the safeguards it had in place concerning student data and of failing to encrypt its IO Classroom, Skedula and Pupilpath platforms.

David Banks, chancellor of the New York City Department of Education, said: “We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not.”

Illuminate said it had not found any evidence of fraudulent or illegal activity related to the hacking incident.

New York City mayor Eric Adams accused Illuminate of being “more concerned with protecting itself than protecting our students.” He and Banks have asked the New York State Education Department and other agencies to investigate the incident and Illuminate’s compliance with state law.

What’s Hot on Infosecurity Magazine?