Breach Notification , Incident & Breach Response , Security Operations

Illuminate Education Mega-Breach Affects K-12 Students

Probe Finds 1 Million Students' Personal Details Stolen From Unencrypted Database
Illuminate Education Mega-Breach Affects K-12 Students
Excerpt of a breach notification letter distributed by Colorado's Pueblo County School District 70 (Source: KOAA News5)

New York state officials have launched an investigation into a data breach involving a widely used digital education software platform that exposed protected, personal information for more than 1 million school-age children.

See Also: Jumpstarting Digital Forensic Investigations

The breach occurred after an attacker accessed systems operated by Illuminate Education, a software platform designed for K-12 school districts that allows educators to track and report on a number of attributes, including grades, attendance and class schedules, as well as to communicate with parents.

Illuminate, which is based in Irvine, California, says its tools are used by 5,200 school districts and schools across all 50 states, encompassing more than 17 million students. The company reportedly earns about $126 million in annual revenue.

The company declined to comment on how many current and former students' information has been exposed or how many schools or school districts have been affected. But it says its investigation is now complete and all the affected schools are being notified.

"We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved," a spokesperson tells Information Security Media Group. "We are in the process of notifying all customers that were affected and are working closely with customers to notify individuals who may be affected. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again."

Intrusion Began in December

In a breach notification to some affected families, Illuminate Education says it detected the data breach on Jan. 8 and immediately brought in third-party digital forensic experts to investigate. "On March 4, our investigation confirmed that certain databases, containing potentially protected student information were subject to unauthorized access between Dec. 28, 2021 and Jan. 8," it says.

Signs that something might be amiss first came to light publicly Jan. 8, when Illuminate experienced an outage. In retrospect, this now appears to have been the company taking multiple applications offline - including IO Classroom, formerly known as Skedula, as well as IO Assessment, IO Insights, EduClimber, PupilPath and Compass - while it investigated the suspected intrusion.

The software is used by numerous school districts, in part to track K-12 students' grades as well as to communicate with parents. Use of such tools has grown due to the COVID-19 pandemic and the switch to remote learning, as well as for snow days.

Illuminate Education's chief operating officer, Scott Virkler, told ZDNet in January that the priority in the aftermath of a "security incident" was "to restore service as soon as possible and do everything in our power to help users."

At that time, New York's Department of Education reported that there was as yet no indication that student data had been exposed in the breach.

But as data breach investigations progress, investigators often find evidence that the breach is worse than it first seemed. In part, this is why security experts often recommend not rushing breach notifications - regulations or other rules permitting - so that the actual impact of the security incident and what victims should do to protect themselves can be ascertained first (see: Data Breach Notifications: What's Optimal Timing?).

Unencrypted Database Breached

As investigators probed the Illuminate security breach, they discovered that an attacker had accessed personal data for some current and former students, dating back to the start of the 2016 school year.

Illuminate says the attacker did not directly access the platforms affected by the outage, but did access a database storing some information in unencrypted format from those platforms, reports threat intelligence firm Recorded Future's The Record news site.

According to various breach notifications issued by affected schools, exposed information for each student included name, date of birth, gender, ID number, course enrollment and class schedules, among other details. For some schools, exposed information also reportedly included whether a student received special education services or free lunches.

On Thursday, education technology media site THE Journal reported that a Freedom of Information Request it filed with the New York State Education Department revealed that 565 schools in the state - out of 4,400 in total - were affected by the breach, with information being exposed for more than 1 million current and former students.

New York state officials told THE Journal that the information had come via Illuminate, in part because technology choices are left to individual school districts or schools. Hence state officials had no master list of who was using Illuminate Education products.

California, Colorado, Connecticut and Schools Also Affected

Click to enlarge: Breach notification letter distributed by Colorado's Pueblo County School District 70 (Source: KOAA News5)

NBC affiliate KOAA News5 this week reported that at least three Colorado school districts - 12, 51 and 70 - were also affected, and parents recently received data breach notification letters.

Colorado's Mesa County Valley School District 51, which currently enrolls about 21,000 students, told families on April 22: "The databases impacted by the unauthorized access may have included student names, academic and behavior information, enrollment information, accommodation information, special education information and demographic information. Social Security numbers and financial information was not part of the breach."

Another affected school district: Connecticut's Coventry Public Schools, which said that "affected families will be receiving a mailing from Illuminate Education offering those children complimentary access to 12 months of identity monitoring services through IDX." The school district has a current enrollment of about 1,650 students.

On Tuesday, California's Rocklin Unified School District, located northeast of Sacramento, submitted a data breach notification to the state attorney general's office indicating that it too was impacted by the Illuminate Education data breach. The district has a current enrollment of more than 11,000 students. As required by state law for any breach notice that gets sent to more than 500 state residents, the school district included a sample of the notification. It includes details of the breach, as outlined above, plus instructions for signing up for the IDX credit monitoring, and is signed by Scott Virkler, chief product officer at Illuminate Education.

New York Orders Victim Notification

The New York State Education Department has instructed all affected schools to notify all parents or guardians of current students affected by the breach and - whenever possible - to alert former students who may have been affected.

New York state law says that "where a breach or unauthorized release is attributed to a third-party contractor, the third-party contractor shall pay for or promptly reimburse the educational agency for the full cost of the notifications."

New York state officials and Illuminate didn't immediately respond to requests for how those costs are being tracked or reimbursed.

THE Journal reports that New York state is probing the data breach. Under New York State Education Law 2-D, any third-party contractor who violates the state's data privacy law "shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher and principal whose data was released," up to a current maximum of $150,000.


Update (May 11): Added details pertaining to another school district that said it was impacted by the data breach: Rocklin Unified School District in California.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.