The New York City Department of Education discovered a malicious actor gained unauthorized access to the personally identifiable information of about 820,000 current and former public school students. The compromised data includes students’ names, birthdays, gender, ethnicity, home language, special education status, socioeconomic status and some academic information, according to a report from K12 Dive.
The breach occurred as part of a January cyberattack on vendor Illuminate Education, a California-based company that provides software to track grades and attendance.
Illuminate promised the department it would encrypt student information in a data privacy and security agreement with the district, but the department said Illuminate had not done so during the January breach. The alleged contractual and legal violation is now under investigation by the New York State Education Department’s chief privacy officer.
The breach is one of the largest to affect a single district, according to the nonprofit K12 Security Information Exchange, which works to protect K-12 schools from cyberattacks.
In a statement, Illuminate said it is notifying customers who may have been affected by unauthorized access to personal information. The vendor said there is no related evidence of any fraudulent or illegal activity and added that it does not store financial information or Social Security numbers.
The New York City Department of Education says it will work to independently verify claims that Illuminate has increased its security protections.
The incident is an indicator of a trend in which vendors providing services to schools are at greater risk for cyberattack. In fact, school district vendors were “responsible,” as the entry point, for 55% of K-12 data breaches between 2016 and 2021.
Given the frequency vendors are found responsible for these attacks, the report recommends suppliers and vendors in the K-12 sector improve their cybersecurity practices. Some districts have looked out for certifications or included addendums to contracts to ensure vendors follow certain data privacy practices. And many states have student data privacy laws to address this issue.