A major cyberattack that ensnared New York City Public Schools has now affected the Los Angeles Unified School District. The data breach from the cyberattack on Illuminate Education has reached districts in at least six states: Colorado, Connecticut, California, New York, Oklahoma and Washington, according to a report by K-12 Dive.

The LAUSD data breach occurred in December and January, and was reported in late May, according to the California Department of Justice. No additional details regarding how many students’ information was compromised or the type of data that had unauthorized access was provided.

As more districts continue to discover they’ve been affected by the Illuminate Education data breach, the New York City Department of Education has confirmed that NYC schools stopped using Illuminate Education products following the data compromise of about 820,000 of its current and former public school students.

The LAUSD notification regarding the data breach at Illuminate Education, a California-based company that provides software to track grades and attendance, means the top three largest school districts in the nation – Chicago, NYC and Los Angeles – have all recently been impacted by vendor-related data breaches.

Chicago Public Schools learned in May it faced a data breach in a separate incident that compromised the information of nearly 500,000 student records after a December ransomware attack on nonprofit edtech provider Battelle for Kids.

Illuminate Education’s products reach 17 million students in 5,200 schools and districts nationwide.

There are likely more surprises from the Illuminate Education data breach still to be revealed, experts say.

The NYC Department of Education said Illuminate Education promised it would encrypt student information in a data privacy and security agreement with the district. However, the department said the vendor did not do so when the cyberattack happened in January.

Illuminate said in a previous statement there was no evidence of any fraudulent or illegal activity. The company also said it does not store financial information or social security numbers.

As districts are increasingly at risk for student data privacy issues from growing reliance on edtech tools, experts continue to advise district leaders to take inventory of their edtech, know their state and federal laws and thoroughly read a company’s terms of use.