The software many school districts use to track student progress can capture highly confidential information about children: “Intellectual Disability”. “Emotional Disorder.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive talking.” “Must take tutoring.”
Now, these systems are under scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student tracking software, which exposed the personal information of more than a million current and former students in dozens of counties, including New York City. and Los Angeles, the nation’s largest public school systems.
Officials said that in some districts, the data includes students’ names, birth dates, races or ethnicities, and test scores. At least one district said the data contained more intimate information, such as student lateness, migrant status, behavioral incidents and descriptions of disabilities.
The exposure of such private information can have long-term consequences.
“If you’re a bad student and had disciplinary issues and that information is available now, how do you recover?” said Joe Green, a cybersecurity professional and parent of a high school student in Erie, Colorado, whose high school son was affected by the hack. ‘It’s your future. It’s going to college, getting a job. It’s everything.”
Over the past decade, technology companies and educational innovators have pushed schools to adopt software systems that can catalog and categorize students’ outbursts, absenteeism, and learning disabilities. The purpose of such tools is well-intended: to help teachers identify and intervene in at-risk learners. However, as these student tracking systems have proliferated, so have cyberattacks on school software vendors, including a recent hack that hit the Chicago Public Schools, the nation’s third-largest district.
Now, some cybersecurity and privacy experts say the cyberattack on Illuminate Education amounts to a warning to industry and government regulators. While it wasn’t the biggest hack on an ed-tech company, these experts say they are troubled by the nature and scope of the data breach, in some cases involving sensitive personal details about students or student data from more than a decade ago. . At a time when some education technology companies have collected sensitive information about millions of schoolchildren, they say the safeguards for student data seem utterly inadequate.
“There’s been a truly epic failure,” said Hector Balderas, the New Mexico attorney general, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Mr. Balderas argued that Congress had failed to enact modern, meaningful data protection for students, while regulators had not held the tech companies responsible for violating the privacy and security of student data.
“There is definitely an enforcement and liability gap,” said Mr Balderas.
In a statement, Illuminate said it had “no evidence that information was the subject of actual or attempted misuse” and that it had “implemented security enhancements to prevent further cyberattacks.”
Nearly a decade ago, privacy and security experts began warning that the proliferation of advanced data mining tools in schools was rapidly outpacing the protection of students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed-tech providers joined a national Student Privacy Pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which employs deceptive privacy practices, could hold companies to their obligations. President Obama endorsed the pledge and praised participating companies in a major privacy speech at the FTC in 2015.
The FTC has a long history of fining companies for violating children’s privacy on consumer services such as YouTube and TikTok. However, despite numerous reports of ed-tech companies with problematic privacy and security practices, the agency has yet to enforce the industry’s privacy promise to students.
In May, the FTC announced that regulators planned to crack down on ed-tech companies that violate a federal law — the Children’s Online Privacy Protection Act — that requires online services for children under 13 to protect their personal information. The agency is conducting a number of private investigations into ed-tech companies, said Juliana Gruenwald Henderson, a spokeswoman for the FTC.
Based in Irvine, California, Illuminate Education is one of the nation’s leading providers of student tracking software.
The company’s site says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance system and online gradebook, as well as a school platform called eduCLIMBER, which allows teachers to record students’ “social-emotional behavior” and color-code children as green (“on schedule”) or red (” not on track”).
Illuminate has promoted its cybersecurity. In 2016, the company announced it had joined the industry pledge to show its “support for protecting” student data.
Concerns about a cyberattack arose in January after some school teachers in New York City discovered their online attendance and gradebook systems were down. Illuminate said it has temporarily taken those systems offline after it became aware of “suspicious activity” on part of its network.
On March 25, Illuminate informed the district that certain corporate databases were subject to unauthorized access, said Nathaniel Styer, the press secretary for New York City Public Schools. The incident, he said, affected about 800,000 current and former students at about 700 local schools.
For affected New York City students, data includes first and last name, school name, and student ID number, as well as at least two of the following: date of birth, gender, race or ethnicity, home language, and class information such as the teacher’s name. In some cases, students’ disability status was also affected, i.e. whether or not they received special education.
New York City officials said they were outraged. In 2020, Illuminate signed a strict data agreement with the district that required the company to protect student data and notify district officials immediately in the event of a data breach.
City officials have asked the New York Attorney General’s office and the FBI to investigate. In May, the New York City Education Department, which conducts its own investigation, instructed local schools to stop using Illuminate products.
“Our students deserved a partner who focused on adequate security, but instead their information was compromised,” Mayor Eric Adams said in a statement to The New York Times. Mr. Adams added that his administration was working with regulators “while doing everything we can to hold the company fully accountable for not providing the assurance promised to our students.”
The Illuminate hack affected an additional 174,000 students in 22 school districts across the state, according to the New York State Education Department, which conducts its own investigation.
In the past four months, Illuminate has also notified more than a dozen other districts — in Connecticut, California, Colorado, Oklahoma and Washington State — of the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it had worked with outside experts to investigate the security incident and concluded that student information between December 28, 2021 and January 8, 2022 “may have been subject to unauthorized access.” the statement said, Illuminate had five full-time employees dedicated to security operations.
Illuminate stored student data on Amazon Web Services’ online storage system. Cybersecurity experts said many companies had inadvertently made their AWS storage buckets easy for hackers to find – by naming databases after company platforms or products.
In the wake of the hack, Illuminate said it had hired six additional full-time security and compliance officers, including a chief information security officer.
Following the cyberattack, the company also made numerous security upgrades, according to a letter Illuminate sent to a Colorado school district. The letter stated, among other things, that Illuminate has instituted continuous third-party monitoring on all of its AW.S. accounts and now enforces enhanced login security for its AWS files.
But during an interview with a reporter, Greg Pollock, the vice president of cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s AWS buckets with an easy-to-guess name. The reporter then found a second AWS bucket, named after a popular Illuminate platform for schools.
Illuminate said it could not provide details about its security practices for security reasons.
After a spate of cyberattacks targeting both tech companies and public schools, education officials said it was time for Washington to step in to protect students.
“Changes at the federal level are overdue and could have an immediate and nationwide impact,” said Mr. Styer, the spokesperson for the schools in New York City. For example, Congress could change federal education privacy rules to impose data security requirements on school vendors, he said. That would allow federal agencies to fine companies that don’t follow the rules.
One agency has already acted, but not on behalf of students.
Last year, the Securities and Exchange Commission accused Pearson, a major provider of school assessment software, of misleading investors over a cyberattack that stole the birth dates and email addresses of millions of students. Pearson agreed to pay $1 million to settle the costs.
The Attorney General, Mr. Balderas, said he was outraged that financial regulators had acted to protect investors in the Pearson case, even as privacy regulators failed to act for schoolchildren who were victims of cybercrime.
“My concern is that there will be bad actors who will exploit a public school environment, especially if they think the technology protocols are not very robust,” Mr Balderas said. “And I don’t know why Congress isn’t terrified yet.”