A cyberattack exposes the shaky state of student privacy
The software that many school districts use to track students’ progress can record highly confidential information on children: “intellectual disabilities.” “emotional disturbance.” “Homeless.” “Disruptive.” “Oppose.” “Criminal.” “Talking too much.” “Must go to tutoring.”
These systems are now coming under intense scrutiny following a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, that captured the personal information of more than a million current and former students in dozens of districts, including New York City. has affected. Los Angeles, the largest public school system in the country.
Officials said that in some districts the data includes names, date of birth, caste or ethnicity and test scores of students. At least one district said the data included more intimate information such as student retardation rates, migrant status, incidents of behavior and details of disabilities.
Exposure to such personal information can have long-term consequences.
“If you’re a bad student and you’ve had disciplinary problems and that information is now available, how do you get over that?” Joe Green, a cybersecurity professional and the parent of a high school student in Erie, Colo., whose son’s high school was affected by the hack. “It’s your future. It’s getting into college, getting a job. It’s everything.”
Over the past decade, tech companies and education reformers have pushed schools to adopt software systems that can catalog and classify students’ classroom explosions, absenteeism, and learning challenges. The intent of such tools is well-meaning: to help teachers identify and intervene with students at risk. However, as these student-tracking systems have spread, so have cyberattacks on school software vendors—including a recent hack that affected Chicago public schools, the nation’s third-largest district.
Now some cyber security and privacy experts say the cyber attack on Illuminate Education is a warning to industry and government regulators. While it wasn’t the biggest hack of an ed tech company, these experts say they are puzzled by the nature and scope of the data breach – which, in some cases, involves delicate personal details about students or student data that are more than a decade old. , At a time when some education technology companies have accumulated sensitive information about millions of school children, they say, security measures for student data are completely inadequate.
“A truly epic failure,” said New Mexico Attorney General Hector Balderas, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Mr Balderas said Congress has failed to implement modern, meaningful data protection for students, while regulators have failed to hold ed tech firms accountable for breaches of student data privacy and security. .
“There is absolutely an enforcement and an accountability difference,” Mr Balderas said.
In a statement, Illuminate said it had “no evidence that any information was genuine or subject to attempted misuse” and that it had “implemented security enhancements” to prevent further cyberattacks.
Nearly a decade ago, privacy and security experts began to warn that the proliferation of sophisticated data-mining equipment in schools was rapidly outpacing protections for students’ personal information. Legislators came to answer.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and protection laws. In 2014, dozens of K-12 ed tech providers signed a National Student Privacy Pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which regulates deceptive privacy practices, would be able to keep companies up to their commitments. President Obama backed the pledge in 2015 in a major privacy speech at the FTC, praising the companies that participated.
The FTC has a long history of fined companies for violating children’s privacy on consumer services like YouTube and TikTok. Despite several reports from ed tech companies with problematic privacy and security practices, the agency has yet to implement the industry’s student privacy pledge.
In May, the FTC announced that regulators intended to crack down on ed tech companies that violate a federal law — the Children’s Online Privacy Protection Act — that requires anyone under the age of 13 to protect their personal data. Online services aimed at children are required. FTC spokeswoman Juliana Grunewald Henderson said the agency is conducting several non-public investigations into ed tech companies.
Based in Irvine, California, Illuminate Education is one of the nation’s leading vendors of student-tracking software.
The company’s site says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance-taking system and an online grade book, as well as a school platform called eduCLIMBER, which allows teachers to track students’ “social-emotional behavior” and color-code children green (“on the track”). “) enables recording. red (“not on track”).
Roshni has boosted its cyber security. In 2016, the company announced that it had signed an industry pledge to show “support for the protection” of student data.
Concerns about cyberattacks emerged in January after some teachers in New York City schools discovered that their online presence and grade book systems had stopped working. Illuminate said it temporarily took those systems offline after it became aware of “suspicious activity” on the part of its network.
On March 25, Illuminate informed the district that some company databases were subject to unauthorized access, said Nathaniel Steyer, press secretary for New York City Public Schools. He said the incident affected around 800,000 current and former students from around 700 local schools.
For affected students in New York City, the data includes first and last name, school name and student ID number as well as at least two of the following: date of birth, gender, race or ethnicity, home language, and class of Information such as the name of the teacher. In some cases, the disability status of the students – that is, whether or not they received special education services – was also affected.
New York City officials said they were outraged. In 2020, Illuminate signed a strict data agreement with the district that required the company to protect student data and notify district authorities immediately in the event of a data breach.
City officials have asked the New York Attorney General’s office and the FBI to investigate. In May, the New York City Department of Education, which is conducting its own investigation, directed local schools to stop using Illuminate products.
“Our students deserved a partner who focused on adequate security, but instead left their information at risk,” Mayor Eric Adams said in a statement to The New York Times. Mr Adams said his administration was working with regulators “as we insist on holding the company fully accountable for not providing the promised protections to our students.”
The Illuminate hack affected an additional 174,000 students in 22 school districts across the state, according to the New York State Department of Education, which is conducting its own investigation.
Over the past four months, Illuminate has also notified more than a dozen other districts in Connecticut, California, Colorado, Oklahoma and Washington state about the cyberattack.
Illuminate declined to say how many school districts and students were affected. In a statement, the company said it had worked with outside experts to investigate the security incident and concluded that student information was “potentially subject to unauthorized access” between December 28, 2021 and January 8, 2022. Was. At the time, the statement said, Illuminate had five full-time employees dedicated to security operations.
Publish student data held on the Amazon Web Services online storage system. Cybersecurity experts said several companies had inadvertently made their AWS storage buckets easier for hackers by naming databases after company platforms or products.
In the wake of the hack, Illuminate said it had hired six additional full-time security and compliance staff, including a chief information security officer.
After the cyberattack, the company also made several security upgrades, according to a letter Illuminate sent to a school district in Colorado. Among other changes, the letter states, Illuminate has installed continuous third-party monitoring across all of its AW.S. account and is now implementing improved login security for its AWS files.
But during an interview with a reporter, Greg Pollock, vice president of cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s AWS buckets with an easily guessable name. The reporter then found a second AWS bucket, named after a popular Illuminate platform for schools.
Illuminate said it could not provide details about its security practice “for security reasons.”
Following cyberattacks on both ed tech companies and public schools, education officials said it was time for Washington to intervene to protect students.
“Changes at the federal level are overdue and could have immediate and nationwide impact,” said Mr. Steyer, a spokesman for New York City schools. For example, Congress could amend federal education privacy rules to impose data protection requirements on school vendors, he said. This would enable federal agencies to impose fines on companies that fail to comply.
One agency has already broken up – but not on behalf of the students.
Last year, the Securities and Exchange Commission accused Pearson, a leading provider of evaluation software for schools, of misleading investors about a cyberattack in which the birth dates and email addresses of millions of students were stolen. Pearson agreed to pay $1 million to settle the charges.
Attorney General Mr Balderas said he was outraged that financial regulators acted to protect investors in the Pearson case – even as privacy regulators failed to take steps to protect schoolchildren victims of cybercrime are.
“My concern is that there will be bad actors who will take advantage of the public school setting, especially when they feel that the technology protocols are not strong enough,” Mr Balderas said. “And I don’t know why Congress isn’t scared yet.”