The software that many school districts use to track students’ progress can record extremely confidential information on children: “Intellectual disability.” “Emotional Disturbance.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive Talking.” “Should attend tutoring.”
Now these systems are coming under heightened scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, which affected the personal information of more than a million current and former students across dozens of districts — including in New York City and Los Angeles, the nation’s largest public school systems.
Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students. At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.
The exposure of such private information could have long-term consequences.
“If you’re a bad student and had disciplinary problems and that information is now out there, how do you recover from that?” said Joe Green, a cybersecurity professional and parent of a high school student in Erie, Colo., whose son’s high school was affected by the hack. “It’s your future. It’s getting into college, getting a job. It’s everything.”
Over the last decade, tech companies and education reformers have pushed schools to adopt software systems that can catalog and categorize students’ classroom outbursts, absenteeism and learning challenges. The intent of such tools is well meaning: to help educators identify and intervene with at-risk students. As these student-tracking systems have spread, however, so have cyberattacks on school software vendors — including a recent hack that affected Chicago Public Schools, the nation’s third-largest district.
Now some cybersecurity and privacy experts say that the cyberattack on Illuminate Education amounts to a warning for industry and government regulators. Although it was not the largest hack on an ed tech company, these experts say they are troubled by the nature and scope of the data breach — which, in some cases, involved delicate personal details about students or student data dating back more than a decade. At a moment when some education technology companies have amassed sensitive information on millions of school children, they say, safeguards for student data seem wholly inadequate.
“There has really been an epic failure,” said Hector Balderas, the attorney general of New Mexico, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Mr. Balderas said that Congress had failed to enact modern, meaningful data protections for students while regulators had failed to hold ed tech firms accountable for flouting student data privacy and security.
“There absolutely is an enforcement and an accountability gap,” Mr. Balderas said.
In a statement, Illuminate said that it had “no evidence that any information was subject to actual or attempted misuse” and that it had “implemented security enhancements to prevent” further cyberattacks.
Nearly a decade ago, privacy and security experts began warning that the spread of sophisticated data-mining tools in schools was rapidly outpacing protections for students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed tech providers signed on to a national Student Privacy Pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which polices deceptive privacy practices, would be able to hold companies to their commitments. President Obama endorsed the pledge, praising participating companies in a major privacy speech at the F.T.C. in 2015.
In May, the F.T.C. announced that regulators intended to crack down on ed tech companies that violate a federal law — the Children’s Online Privacy Protection Act — which requires online services aimed at children under 13 to safeguard their personal data. The agency is pursuing a number of nonpublic investigations into ed tech companies, said Juliana Gruenwald Henderson, an F.T.C. spokeswoman.
Based in Irvine, Calif., Illuminate Education is one of the nation’s leading vendors of student-tracking software.
The company’s site says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance-taking system and an online grade book as well as a school platform, called eduCLIMBER, that enables educators to record students’ “social-emotional behavior” and color-code children as green (“on track”) or red (“not on track”).
Concerns about a cyberattack emerged in January after some teachers in New York City schools discovered that their online attendance and grade book systems had stopped working. Illuminate said it temporarily took those systems offline after it became aware of “suspicious activity” on part of its network.
On March 25, Illuminate notified the district that certain company databases had been subject to unauthorized access, said Nathaniel Styer, the press secretary for New York City Public Schools. The incident, he said, affected about 800,000 current and former students across roughly 700 local schools.
For the affected New York City students, data included first and last names, school name and student ID number as well as at least two of the following: birth date, gender, race or ethnicity, home language and class information like teacher name. In some cases, students’ disability status — that is, whether or not they received special education services — was also affected.
New York City officials said they were outraged. In 2020, Illuminate signed a strict data agreement with the district requiring the company to safeguard student data and promptly notify district officials in the event of a data breach.
City officials have asked the New York attorney general’s office and the F.B.I. to investigate. In May, New York City’s education department, which is conducting its own investigation, instructed local schools to stop using Illuminate products.
“Our students deserved a partner that focused on having adequate security, but instead their information was left at risk,” Mayor Eric Adams said in a statement to The New York Times. Mr. Adams added that his administration was working with regulators “as we push to hold the company fully accountable for not providing our students with the security promised.”
The Illuminate hack affected an additional 174,000 students in 22 school districts across the state, according to the New York State Education Department, which is conducting its own investigation.
Over the last four months, Illuminate has also notified more than a dozen other districts — in Connecticut, California, Colorado, Oklahoma and Washington State — about the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it had worked with outside experts to investigate the security incident and had concluded that student information was “potentially subject to unauthorized access” between Dec. 28, 2021, and Jan. 8, 2022. At that time, the statement said, Illuminate had five full-time employees dedicated to security operations.
Illuminate kept student data on the Amazon Web Services online storage system. Cybersecurity experts said many companies had inadvertently made their A.W.S. storage buckets easy for hackers to find — by naming databases after company platforms or products.
In the wake of the hack, Illuminate said it had hired six additional full-time security and compliance employees, including a chief information security officer.
After the cyberattack, the company also made numerous security upgrades, according to a letter Illuminate sent to a school district in Colorado. Among other changes, the letter said, Illuminate instituted continuous third-party monitoring on all of its AW.S. accounts and is now enforcing improved login security for its A.W.S. files.
But during an interview with a reporter, Greg Pollock, the vice president for cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s A.W.S. buckets with an easily guessable name. The reporter then found a second A.W.S. bucket named after a popular Illuminate platform for schools.
Illuminate said it could not provide details about its security practice “for security reasons.”
After a spate of cyberattacks on both ed tech companies and public schools, education officials said it was time for Washington to intervene to protect students.
“Changes at the federal level are overdue and could have an immediate and nationwide impact,” said Mr. Styer, the New York City schools spokesman. Congress, for instance, could amend federal education privacy rules to impose data security requirements on school vendors, he said. That would enable federal agencies to levy fines on companies that failed to comply.
One agency has already cracked down — but not on behalf of students.
Last year, the Securities and Exchange Commission charged Pearson, a major provider of assessment software for schools, with misleading investors about a cyberattack in which the birth dates and email addresses of millions of students were stolen. Pearson agreed to pay $1 million to settle the charges.
Mr. Balderas, the attorney general, said he was infuriated that financial regulators had acted to protect investors in the Pearson case — even as privacy regulators failed to step up for schoolchildren who were victims of cybercrime.
“My concern is there will be bad actors who will exploit a public school setting, especially when they think that the technology protocols are not very robust,” Mr. Balderas said. “And I don’t know why Congress isn’t terrified yet.”