Cyberattack 'illuminates' shaky state of student privacy in the US

Experts say attack on Illuminate Education, a leading provider of student-tracking software, amounts to a warning for industry

The software that many school districts use to track students’ progress can record extremely confidential information on children: “Intellectual disability.” “Emotional Disturbance.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive Talking.” “Should attend tutoring.”

Now these systems are coming under heightened scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, which affected the personal information of more than a million current and former students across dozens of districts — including in New York City and Los Angeles, the nation’s largest public school systems.

Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students. At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.

The exposure of such private information could have long-term consequences.

“If you’re a bad student and had disciplinary problems and that information is now out there, how do you recover from that?” said Joe Green, a cybersecurity professional and parent of a high school student in Erie, Colo., whose son’s high school was affected by the hack. “It’s your future. It’s getting into college, getting a job. It’s everything.”

Over the last decade, tech companies and education reformers have pushed schools to adopt software systems that can catalog and categorize students’ classroom outbursts, absenteeism and learning challenges. The intent of such tools is well meaning: to help educators identify and intervene with at-risk students. As these student-tracking systems have spread, however, so have cyberattacks on school software vendors.

Now some cybersecurity and privacy experts say that the cyberattack on Illuminate Education amounts to a warning for industry and government regulators. Although it was not the largest hack on an ed tech company, these experts say they are troubled by the nature and scope of the data breach — which, in some cases, involved delicate personal details about students or student data dating back more than a decade. At a moment when some education technology companies have amassed sensitive information on millions of school children, they say, safeguards for student data seem wholly inadequate.

In a statement, Illuminate said that it had “no evidence that any information was subject to actual or attempted misuse” and that it had “implemented security enhancements to prevent” further cyberattacks.

Concerns about a cyberattack emerged in January after some teachers in New York City schools discovered that their online attendance and grade book systems had stopped working. Illuminate said it temporarily took those systems offline after it became aware of “suspicious activity” on part of its network.

For the affected, data included first and last names, school name and student ID number as well as at least two of the following: birth date, gender, race or ethnicity, home language and class information like teacher name. In some cases, students’ disability status was also affected.

Big brother is watching you

• Cyberattack affects personal information of more than a million current and former students across dozens of districts
• Data breach includes names, dates of birth, races or ethnicities, migrant status, behavior incidents, descriptions of disability
• Most leaked data involve personal details or student data dating back more than a decade