Nearly a million school students' information was compromised in the largest data breach to ever hit a school district.
820,000 public school students’ information has been compromised in a New York City Department of Education data breach. Names, birthdays, gender, race, socioeconomic status, and other academic information of current and previous students were obtained through a cyber attack on the school’s vendor, Illuminate Education. This California company was hacked back in January and the details are just now coming to light about legal violations which may have occurred.
The data breach tapped into student information affecting those who attended New York City Public Schools as far back as the 2016-2017 school year. According to K12 Security Information Exchange National Director, Doug Levin, this is the largest data breach to impact a single school district. Last Friday educators accused Illuminate Education of not meeting encryption protocols for 10 different classroom platforms. If true, it would be a severe strain on the popular vendor.
Illuminate Education itself is a data management company. This company proudly declares that its services work to track students based on all of their characteristics and further the equity-based education agenda. Their website discusses education performance and students as if the children involved are projects to be worked on through programs that analyze statistics to compare students to each other and help teachers “make data-driven, system-level decisions that change trajectories and improve outcomes.” In essence, this is a program that aids public school teachers in treating every student based on how they shape up as a statistic, instead of treating all students equally as individuals who make their own decisions every day.
This company also boasts that they are qualified for purchases under COVID relief acts like CARES, ARP, CRRSA. So this data breach isn’t just another concerning issue regarding a private company. Taxpayer funds are used to purchase these products and implement them in the classroom. Records also show that in the past 3 years, Illuminate Education has made 16 million dollars from the Department of Education alone. If taxpayer money is funding the use of this company’s services in already publicly funded schools, parents and educators might question their security standards as well.
Illuminate Education states on its website, “We protect your data like it’s our own.” They claim to comply with the Family Educational Rights and Privacy Act (FERPA) to put proper safeguards in place, but with this data breach investigators aren’t fully convinced. Foul play is suspected being that it is unclear whether the company encrypted student information as they were contractually bound to do per the data and privacy agreement they signed with the district. What’s even more concerning, is that independent vendors like Illuminate Education have been the main target point of cyber attacks on schools between 2016-2021. Up to 55% of data breaches for K-12 schools students come through these independent vendors.
It is a modern issue in the technological age that requires attention and action to protect everyone involved. As the investigation of the data breach continues, families whose information has been compromised can do little to nothing but wait and see what happens. Whether identity crimes will follow suit or not is unclear, but school officials may think twice before hiring more outside companies.