Software that many school districts use to track student progress may record highly confidential information about children: “Intellectual disabilities.” “Emotional disturbances.” “Homeless.” “Disruptive.” “Challenge.” “Destroyer.” “Talking too much.” “You should attend tutoring.”
These systems are now under scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student tracking software, affected the personal information of more than a million students. current and former students in dozens of counties — including in New York City and Los Angeles, the nation’s largest public school systems.
In some counties, the data included a student’s name, date of birth, race or ethnicity, and test scores, officials said. At least one school district said the data included more intimate information such as tardy rates, immigration status, behavioral incidents and descriptions of disabilities.
Disclosure of such private information can have long-term consequences.
“If you were a bad student and had a disciplinary problem and that information is already out there, how do you restore that?” Joe Green, a cybersecurity expert and parent of a high school student in Erie, Colo., whose son was affected by the hack. “It is your future. It’s going to college, getting a job. That’s everything.”
Over the past decade, technology companies and education innovators have pushed schools to adopt software systems that can catalog and categorize overreach, absenteeism, and school challenges. student learning. The purpose of these tools is significant: to help educators identify and intervene with students at risk. However, as these student-tracking systems spread, cyberattacks targeted school software vendors – including a recent hack that affected Chicago Public Schoolthe nation’s third largest county.
Now, some privacy and cybersecurity experts say the cyber attack on Illuminate Education is a warning to industry and government regulators. While it’s not the biggest hack for a tech company, these experts say they’re troubled by the nature and scope of the data breach – in some cases, involves sensitive personal details about the student or pre-existing student data. more than a decade. At a time when several educational technology companies have collected sensitive information about millions of school-going children, they say the safeguards for student data appear to be completely inadequate.
In a recent interview, Mr. Balderas said that Congress failed to enact modern, meaningful data protection measures for students while regulators failed to arrest companies. technology is responsible for the loss of privacy and security of student data.
“There is absolutely an enforcement and accountability gap,” Mr. Balderas said.
In a statement, Illuminate said that it had “no evidence that any information was actually misused or intended” and that it had “implemented security enhancements to prevent” attacks. the next network attack.
Nearly a decade ago, privacy and security experts began warning that the spread of sophisticated data miners in schools was accelerating. increased protection for students‘ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed technology providers signed with a country Commitment to Student Privacypromises to maintain a “comprehensive security program”.
Proponents of the pledge say the Federal Trade Commission, which regulates privacy fraud, will be able to keep companies from delivering on their commitments. President Obama attest to the pledgepraised participating companies during a major privacy speech at the FTC in 2015.
The FTC has a long history of penalizing companies for violating children’s privacy for consumers. services like YouTube and TikTok. Even though many reports of high-tech companies with Privacy matters and security practiceshowever, the agency has yet to enforce its commitment to student privacy in the industry.
In May, the FTC announced that regulators intend to punish tech companies for violating a federal law – the Children’s Online Privacy Protection Act – that requires online services for children under the age of 13 to protect protect their personal data. Juliana Gruenwald Henderson, a spokeswoman for the FTC, said the agency is pursuing a number of non-public investigations into high-tech companies.
Headquartered in Irvine, California, Illuminate Education is one of the nation’s leading providers of student tracking software.
The The company’s web site says its service reaches more than 17 million students in 5,200 school districts. Popular products include online attendance and gradebook systems as well as a school platform, known as eduCLIMBER, that allows educators to document the “socio-emotional behavior” of students and children to color code green (“in the right direction”) or red (“in the wrong direction”).
Illuminate has promoted its cybersecurity. In 2016, the company announced that it had signed the industry pledge to show “support for protection”“Student Data.
Concerns about a cyberattack emerged in January after some teachers in New York City schools discovered that their online attendance and gradebook systems stopped working. Illuminate said it temporarily took those systems offline after discovering “suspicious activity” on part of its network.
On March 25, Illuminate notified the district that some of the company’s databases had been accessed without authorization, said Nathaniel Styer, press secretary for New York City Public Schools. The incident affected about 800,000 current and former students across about 700 local schools, he said.
For affected New York City students, the data included first and last name, school name, and student ID number as well as at least two of the following: date of birth, gender, race or ethnicity, home language and class information such as teacher’s name. In some cases, the student’s disability – that is, whether or not they receive special education services – is also affected.
New York City Officials say they were offended. In 2020, Illuminate entered into a strict data agreement with the district requiring the company to protect student data and promptly notify district officials in the event of a data breach.
City officials have asked the New York attorney general’s office and the FBI to investigate. In May, the New York City Department of Education, which is conducting its own investigation, directed local schools to stop using Illuminate products.
“Our students deserve a partner who is focused on having adequate security, but instead, their information is at stake,” Mayor Eric Adams said in a statement to The New York. Times. Mr. Adams added that his administration is working with regulators “as we push the company to take full responsibility for not providing our students with the security promised.”
The Illuminate hack affected an additional 174,000 students in 22 school districts across the state, according to the New York State Department of Education, which is conducting its own investigation.
Over the past four months, Illuminate has also notified more than a dozen other counties — in Connecticut, California, Colorado, Oklahoma and Washington State — of the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it had been working with external experts to investigate the security incident and had concluded that student information was “potentially subject to unauthorized access” as of May 28. December 2021 to January 8, 2022. At that time, the statement said, Illuminate had five full-time employees dedicated to security operations.
Shining keep student data on the Amazon Web Services online storage system. Cybersecurity experts say many companies inadvertently make their AWS storage pools easy to find by hackers – by naming databases after the company’s platform or product name.
Following the hack, Illuminate said it hired six more full-time security and compliance officers, including a chief information security officer.
After the cyberattack, the company also made several security upgrades, according to a letter that Illuminate sent to a school district in Colorado. Among other changes, the letter said, Illuminate has established third-party continuous monitoring across all AW.S. mine. and is currently implementing improved login security for its AWS files.
But in an interview with reporters, Greg Pollock, vice president of cyber research for UpGuard, a cybersecurity risk management company, found one of Illuminate’s AWS teams to have a predictable name. . The reporter then found a second AWS group named after the popular Illuminate platform for schools.
Illuminate said it was unable to provide details of its security practices “for security reasons”.
After a spate oEducation officials say it’s time for Washington to step in to protect students from cyberattacks on both tech companies and public schools.
“The changes at the federal level are long overdue and could have an immediate and nationwide impact,” said Styer, a spokesman for New York City schools. For instance, Congress could amend federal education privacy rules to impose data privacy requirements on school providers, he said. That would allow federal agencies to levy fines on companies that don’t comply.
An agency has cracked down – but not on behalf of students.
Last year, the Securities and Exchange Commission charged Pearson, a major supplier of review software to schools, with deceiving investors about a cyberattack in which the birth dates and email addresses of millions of students were stolen. Pearson agreed to pay $1 million to settle the fees.
Mr. Balderas, the attorney general, said he was furious that financial regulators had acted to protect investors in the Pearson case – even if privacy regulators did not promote those Students are victims of cybercrime.
“My concern is that there will be bad guys taking advantage of the public environment, especially when they think the technology protocols are not very robust,” Mr. Balderas said. “And I don’t know why Congress hasn’t been spooked yet.”