The software that many school districts use to track student progress can record very sensitive information about a child: an “intellectual disability.” “Emotional disturbance.” “Homelessness.” “Rupture.” “Rebellion.” “Assailant” “Talking too much”. “You should take supplementary training.”
These systems are now under intense scrutiny following the recent cyber attack on Illuminate Education, a leading provider of student tracking software. Los Angeles is the largest public school in the United States.
In some districts, the data included student names, dates of birth, race or ethnicity, and test scores, officials said. At least one school district says the data includes more detailed information, such as student tardy rates, immigration status, behavioral anecdotes, and disability descriptions.
Such disclosure of personal information can have long-term consequences.
“If you’re an underperforming student and you have a problem with disciplinary action and the information is already out there, how do you recover from it?” Cybersecurity expert and parent of a high school student in Erie, Colorado Joe Green says: His son’s high school was affected by the hack. “It’s your future. Going to college, getting a job. That’s all.”
Over the past decade, technology companies and education innovators have asked schools to adopt software systems that can catalog and categorize students’ classroom distractions, absenteeism, and learning challenges. The purpose of such tools is to enable educators to identify at-risk students and intervene. But as these student tracking systems became more popular, so did cyberattacks against school software vendors. This includes the recent hack that affected Chicago Public Schools, her third largest school district in the United States.
Some cybersecurity and privacy experts now say the cyberattack on Illuminate Education amounts to a wake-up call to industry and government regulators. While it wasn’t the biggest hack to an education tech company, these experts said they were haunted by the nature and scope of the data breach. In some cases, they contained sensitive personal information about students and student data from over 10 years ago. Some education technology companies say their measures to protect student data appear woefully inadequate once they’ve collected sensitive information about millions of schoolchildren.
“It was a truly epic failure,” said New Mexico Attorney General Hector Valderas, who has sued tech companies for violating the privacy of children and students.
In a recent interview, Valderas said Congress failed to enact modern, meaningful data protections for students, and regulators failed to hold educational technology companies accountable for neglecting the privacy and security of student data. said.
“There is definitely a gap between law enforcement and accountability,” Valderas said.
In a statement, Illuminate said there was “no evidence of actual or attempted misuse of the information” and that it “implemented security enhancements to prevent” further cyberattacks.
Nearly a decade ago, privacy and security experts began warning that the prevalence of sophisticated data mining tools in schools was rapidly outpacing the protection of student personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado, and dozens of other states have passed student data privacy and security laws. In 2014, dozens of her K-12 educational technology providers signed a nationwide student privacy pledge, committing to maintaining a “comprehensive security program.”
Proponents of the pledge said the Federal Trade Commission, which cracks down on deceptive privacy practices, could force companies to keep their promises. President Obama endorsed the pledge and praised participating companies in his big privacy speech at the FTC in 2015.
The FTC has a long history of fines companies that violate children’s privacy on consumer services like YouTube and TikTok. Despite numerous reports of educational tech companies with questionable privacy and security practices, the institution has yet to implement its student privacy pledge in the industry.
In May, the FTC plans to crack down on education tech companies violating a federal law that requires online services directed at children under 13 to protect personal data (the Children’s Online Privacy Protection Act). announced. According to FTC spokeswoman Juliana Gruenwald Henderson, the FTC has conducted a number of private investigations into her ed technology companies.
Illuminate Education, based in Irvine, California, is one of the nation’s leading vendors of student tracking software.
According to its website, its services are used by more than 17 million students in 5,200 school districts. Popular products include attendance-taking systems and online report cards, and educators who record students’ “social-emotional behavior” and mark children green (“on-going”) or green (“on-going”). or red (“not on track”).
Illuminate promotes cybersecurity. In 2016, the company announced that it had signed an industry pledge to show it “supports the protection” of student data.
Cyber-attack concerns surfaced in January after some teachers at New York City schools found their online attendance and report card systems no longer working. Illuminate said it temporarily took these systems offline after it became aware of “suspicious activity” on some of its networks.
On March 25, Illuminate notified school districts that certain corporate databases were subject to unauthorized access, said New York City Public Schools spokesperson Nathaniel Styer. The incident affected about 800,000 current and former students in about 700 local schools, he said.
Affected New York City student data included at least two of the following: name, school name, student ID number, and class information such as date of birth, gender, race or ethnicity, home language, and teacher name. was included. In some cases, the student’s disability status—that is, whether they were receiving special education services—was also affected.
New York City officials said they were outraged. In 2020, Illuminate entered into strict data agreements with school districts, requiring the company to protect student data and promptly notify district officials in the event of a data breach.
City officials have turned to the New York Attorney General’s Office and the FBI to investigate. In May, the New York City Department of Education, conducting its own investigation, directed local schools to stop using Illuminate products.
In a statement to the New York Times, Mayor Eric Adams said, “Students deserved a partner focused on ensuring adequate security, but in exchange their information was at risk. Adams said his administration was cooperating with regulators “because they are asking the company to hold them fully accountable for not providing the security they promised to their students.” added.
The Illuminate hack affected an additional 174,000 students in 22 school districts statewide, according to the New York State Department of Education, which conducted its own research.
Over the past four months, Illuminate has also notified more than 10 districts in Connecticut, California, Colorado, Oklahoma, and Washington of cyberattacks.
Illuminate declined to disclose the number of school districts and students affected. It said it concluded that student information “may have been compromised” between January 8, 2018. Illuminate has five full-time employees of hers dedicated to security operations, according to a statement.
Illuminate stored student data in Amazon Web Services’ online storage system. Cybersecurity experts say many companies have made AWS storage buckets easier for hackers to find, for example by naming databases after their platforms or products.
Following the hack, Illuminate said it has hired six additional full-time security and compliance officers, including a chief information security officer.
Illuminate also made a number of security upgrades after the cyberattack, according to a letter Illuminate sent to school districts in Colorado. Among other changes, the letter said Illuminate has begun ongoing third-party monitoring of all its AWS. I’m creating an account and increasing login security for my AWS files.
However, during an interview with a reporter, Greg Pollock, vice president of cyber research at cybersecurity risk management firm UpGuard, spotted one of Illuminate’s AWS buckets with an easily guessed name. The reporter then found his second AWS bucket, named after the popular Illuminate platform for schools.
Illuminate said it could not provide details of its security practices “for security reasons.”
After a string of cyberattacks against both educational tech companies and public schools, education officials said it was time for Washington to step in to protect its students.
“Changes at the federal level are overdue and could have immediate and nationwide impact,” said Steier, a spokesperson for New York City schools. data security requirements on school vendors, he said, allowing federal agencies to fine businesses that don’t comply.
Some institutions are already cracking down, but not on behalf of students.
Last year, the U.S. Securities and Exchange Commission indicted Pearson, a leading provider of assessment software for schools, as a misleading investor in a cyberattack that stole the birth dates and email addresses of millions of students. Did. Pearson agreed that he would pay $1 million to settle the claims.
Attorney General Valderas is furious that financial regulators have acted to protect investors in Pearson case even though privacy regulators did not intervene against schoolchildren who were victims of cybercrime said he did.
“My concern is that there are bad actors who will exploit the public school environment, especially if they think the technology protocols are not very robust,” Balderas said. said. “And I don’t understand why Congress is still not afraid.”