A cyberattack illuminates the shaky state of student privacy
By Natasha Singer, The New York Times Company
The software that many school districts use to track students’ progress can record extremely confidential information on children: “Intellectual disability.” “Emotional Disturbance.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive Talking.” “Should attend tutoring.”
Now these systems are coming under heightened scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, which affected the personal information of more than 1 million current and former students across dozens of districts — including in New York City and Los Angeles, the nation’s largest public school systems.
Officials said in some districts the data included the names, dates of birth, races or ethnicities, and test scores of students. At least one district said the data included more intimate information such as student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.
The exposure of such private information could have long-term consequences.
“If you’re a bad student and had disciplinary problems and that information is now out there, how do you recover from that?” said Joe Green, a cybersecurity professional and parent of a high school student in Erie, Colorado, whose son’s high school was affected by the hack. “It’s your future. It’s getting into college, getting a job. It’s everything.”
Over the past decade, tech companies and education reformers have pushed schools to adopt software systems that can catalog and categorize students’ classroom outbursts, absenteeism and learning challenges. The intent of such tools is well meaning: to help educators identify and intervene with at-risk students. As these student-tracking systems have spread, however, so have cyberattacks on school software vendors — including a recent hack that affected Chicago Public Schools, the nation’s third-largest district.
Now some cybersecurity and privacy experts say that the cyberattack on Illuminate Education amounts to a warning for industry and government regulators. Although it was not the largest hack on an ed tech company, these experts say they are troubled by the nature and scope of the data breach — which, in some cases, involved delicate personal details about students or student data dating back more than a decade. At a moment when some education technology companies have amassed sensitive information on millions of schoolchildren, they say, safeguards for student data seem wholly inadequate.
“There has really been an epic failure,” said New Mexico Attorney General Hector Balderas, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Balderas said Congress had failed to enact modern, meaningful data protections for students while regulators had failed to hold ed tech firms accountable for flouting student data privacy and security.
“There absolutely is an enforcement and an accountability gap,” Balderas said.
In a statement, Illuminate said that it had “no evidence that any information was subject to actual or attempted misuse” and that it had “implemented security enhancements to prevent” further cyberattacks.
Nearly a decade ago, privacy and security experts began warning that the spread of sophisticated data-mining tools in schools was rapidly outpacing protections for students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed tech providers signed on to a national student privacy pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which polices deceptive privacy practices, would be able to hold companies to their commitments. President Barack Obama endorsed the pledge, praising participating companies in a major privacy speech at the FTC in 2015.
The FTC has a long history of fining companies for violating children’s privacy on consumer services such as YouTube and TikTok. Despite numerous reports of ed tech companies with problematic privacy and security practices, however, the agency has yet to enforce the industry’s student privacy pledge.
In May, the FTC announced that regulators intended to crack down on ed tech companies that violate a federal law — the Children’s Online Privacy Protection Act — which requires online services aimed at children younger than 13 to safeguard their personal data. The agency is pursuing a number of nonpublic investigations into ed tech companies, said Juliana Gruenwald Henderson, an FTC spokesperson.
Based in Irvine, California, Illuminate Education is one of the nation’s leading vendors of student-tracking software.
The company’s site says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance-taking system and an online grade book as well as a school platform, called eduCLIMBER, that enables educators to record students’ “social-emotional behavior” and color-code children as green (“on track”) or red (“not on track”).
Illuminate has promoted its cybersecurity. In 2016, the company announced that it had signed on to the industry pledge to show its “support for safeguarding” student data.
Concerns about a cyberattack emerged in January after some teachers in New York City schools discovered that their online attendance and grade book systems had stopped working. Illuminate said it temporarily took those systems offline after it became aware of “suspicious activity” on part of its network.
On March 25, Illuminate notified the district that certain company databases had been subject to unauthorized access, said Nathaniel Styer, press secretary for New York City Public Schools. The incident, he said, affected about 800,000 current and former students across roughly 700 local schools.
For the affected New York City students, data included first and last names, school name and student ID number as well as at least two of the following: birth date, gender, race or ethnicity, home language, and class information such as teacher name. In some cases, students’ disability status — that is, whether or not they received special-education services — was also affected.
New York City officials said they were outraged. In 2020, Illuminate signed a strict data agreement with the district requiring the company to safeguard student data and promptly notify district officials in the event of a data breach.
City officials have asked the New York attorney general’s office and the FBI to investigate. In May, New York City’s education department, which is conducting its own investigation, instructed local schools to stop using Illuminate products.
“Our students deserved a partner that focused on having adequate security, but instead their information was left at risk,” Mayor Eric Adams said in a statement to The New York Times. Adams added that his administration was working with regulators “as we push to hold the company fully accountable for not providing our students with the security promised.”
The Illuminate hack affected an additional 174,000 students in 22 school districts across the state, according to the New York State Education Department, which is conducting its own investigation.
Over the past four months, Illuminate has also notified more than a dozen other districts — in Connecticut, California, Colorado, Oklahoma and Washington state — about the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it had worked with outside experts to investigate the security incident and had concluded that student information was “potentially subject to unauthorized access” between Dec. 28 and Jan. 8. At that time, the statement said, Illuminate had five full-time employees dedicated to security operations.
Illuminate kept student data on the Amazon Web Services online storage system. Cybersecurity experts said many companies had inadvertently made their AWS storage buckets easy for hackers to find — by naming databases after company platforms or products.
In the wake of the hack, Illuminate said it had hired six additional full-time security and compliance employees, including a chief information security officer.
After the cyberattack, the company also made numerous security upgrades, according to a letter Illuminate sent to a school district in Colorado. Among other changes, the letter said, Illuminate instituted continuous third-party monitoring on all of its AWS accounts and is now enforcing improved login security for its AWS files.
But during an interview with a reporter, Greg Pollock, vice president for cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s AWS buckets with an easily guessable name. The reporter then found a second AWS bucket named after a popular Illuminate platform for schools.
Illuminate said it could not provide details about its security practice “for security reasons.”
After a spate of cyberattacks on both ed tech companies and public schools, education officials said it was time for Washington to intervene to protect students.
“Changes at the federal level are overdue and could have an immediate and nationwide impact,” said Styer, the New York City schools spokesperson. Congress, for instance, could amend federal education privacy rules to impose data security requirements on school vendors, he said. That would enable federal agencies to levy fines on companies that failed to comply.
One agency has already cracked down — but not on behalf of students.
Last year, the Securities and Exchange Commission charged Pearson, a major provider of assessment software for schools, with misleading investors about a cyberattack in which the birth dates and email addresses of millions of students were stolen. Pearson agreed to pay $1 million to settle the charges.
Balderas, New Mexico’s attorney general, said he was infuriated that financial regulators had acted to protect investors in the Pearson case — even as privacy regulators failed to step up for schoolchildren who were victims of cybercrime.
“My concern is there will be bad actors who will exploit a public school setting, especially when they think that the technology protocols are not very robust,” Balderas said. “And I don’t know why Congress isn’t terrified yet.”
This article originally appeared in The New York Times.