Personal data for roughly 820,000 current and former New York City public school students was compromised in the hack of a widely used online grading and attendance system earlier this year, city Education Department officials said, revealing what could be the largest-ever breach of K-12 student data in the United States.
Furious city Education Department officials are accusing Illuminate Education, the California-based company behind the popular Skedula and PupilPath platforms, of misrepresenting its cybersecurity measures by certifying that it encrypts all student data when in fact the company left some of it unencrypted.
The breach prompted a week long shutdown of grading and attendance systems in January, causing chaos at city schools. The hackers gained access to a database with the names, birthdays, ethnicities, home languages and student ID numbers of current and former public school students going back to the 2016-17 school year, Illuminate told the Education Department. Illuminate did not specify what categories of information were compromised for each of the 820,000 affected students.
The hackers also extracted information about whether students get special education services, class and teacher schedules, and whether kids receive free lunch, according to the Education Department.
The hack amounts to what is likely the largest-ever single breach of personal student data in the U.S., according to an expert who has tracked school cybersecurity incidents, and raises a host of new privacy questions for families and city schools. “I can’t think of another school district that has had a student data breach of that magnitude stemming from one incident,” said Doug Levin, the national director of K12 Security Information Exchange, a group that has tracked cyberattacks targeting schools and education platforms since 2016. There are roughly 930,000 students in the city public school system.
The compromised data falls into four categories: “biographic information,” which includes full names, birthdays, student ID numbers, ethnicity and language information; “special education information,” which discloses whether a student receives services for a disability; “sensitive information,” which relates to a student’s economic status; and “academic information,” which includes students’ assessment grades and the names of their teachers.
Illuminate didn’t break down how many students were affected by each category of data breach, other than disclosing that the hackers accessed economic status information for 15,000 students.