565 schools, over 1 million students in New York impacted by Illuminate Data Breach, according to NYSED; Colorado’s 2nd District Informs Parents — THE Journal

School Data Breach

565 schools, over 1 million students in New York impacted by Illuminate Data Breach, according to NYSED; Colorado’s 2nd District Notifies Parents

Investigation launched into Illuminate’s data protection practices, official tells newspaper

the New York State Department of Education says 565 schools across the state — including more than a million current and former students — were among those whose private student data was compromised in a January cyberattack on Light Up Educationand officials have opened an investigation, NYSED told the Journal.

The list of New York schools affected by the data breach was sent to THE Journal today in response to a freedom of information request; NYSED officials said the list came from Illuminate. New York State has just over 4,400 schools in total, according to the NYSED website.

Under New York law, each local educational agency affected by a violation must file a detailed report with NYSED within one week confirming the number of current and former students and/or staff whose data has been compromised. This process is ongoing, according to the email received today from the NYSED Records Office.

Also this week, another district in Colorado announced that it was also affected by the Illuminate data breach. According to 9News KUSA-TV in Denver, the Douglas County School District — the third-largest in Colorado with 64,000 students — sent a note to parents this week. “The district said the company, Illuminate Education, provides apps and technical support to schools across the country, including the Douglas County School District,” 9News reported. “They said ‘an unauthorized third party’ had gained access to a dataset containing student information.” The letter did not specify how many students had been affected.

Douglas County is the second in Colorado to notify parents that it has been affected by a data breach in Illuminate Education systems; Mesa County Valley School District 51 in Grand Junction, Colorado, with approximately 21,000 registrations. A neighborhood in Connecticut, Coventry Public Schoolswith approximately 1,650 registrations, also announced that it was affected by the Illuminate data breach.

So far, 17 local education agencies in New York — 15 districts and two charter school groups — have filed their data breach reports with NYSED showing that 179,377 current and former students had their private data stolen. during the incident, according to the document sent to THE Journal. That total does not include the number affected in NYC schools, where officials said in late March that about 820,000 current and former students had been affected by the Illuminate breach.

The graph shows the confirmed number of students affected by the Illuminate Education data breach at New York State education agencies who have completed their state report;  hundreds more schools are expected to file their privacy incident reports in the coming days.

All but one of the agencies whose data breach reports have been filed with the state show that more students are affected than currently enrolled; for example, Success Academy Charter Schools, which has nearly 3 dozen schools in its network, reported 55,595 students affected by the breach, while enrollment numbers on the NYSED website total just under 20. 000.

Earlier this week, an NYSED official told the Journal that its chief privacy officer launched an April 1 investigation into the data breach.

The exact number of New York City students affected by the data breach was not readily available, Deputy Director of Communications JP O’Hare said: “According to information NYSED has obtained to date, at least 1 million New York State students have been affected. .”

O’Hare’s email came in response to questions from the Journal about a sample data breach notification letter that NYSED published on its website to help New York schools notify parents that their students’ private data was compromised in the Illuminate cyberattack.

Because BOCES districts and schools make local decisions about what software to use in their schools, NYSED is not yet certain how many schools are using Illuminate Education half a dozen K-12 software products – who were all offline for a week or more during the January cyberattack, according to his service status site. The company’s website says its K-12 education technology solutions — including IO Classroom (formerly Skedula), PupilPath, EduClimber, IO Education, SchoolCity and others — serve more than 5,000 schools around the world. nationwide with a total enrollment of approximately 17 million American students.

New York law requires any third-party contractor with access to student data to encrypt student data “at rest and in motion,” O’Hare said, citing Education Act §2-d and Education Commissioner Regulations 8 NYCRR §§ 121.3(c)(6) and 121.9(a)(7).

When a breach of student data occurs, state law authorizes the NYSED Privacy Officer to “investigate and possibly impose civil penalties; direct that a third-party contractor not be permitted to access student data from the educational agency with which it has a contract or from New York State; determine that a third-party contractor is not a responsible bidder; and/or require the third-party contractor to provide training,” O’Hare explained.

Comments are closed.