Cyberattack highlights precarious state of student privacy

The software that many school districts use to track student progress can record highly sensitive information about children: “mental retardation.” “Emotional Disorder”. “Homeless”. “Destructive”. “Disobedience”. “Criminal”. “Excessive talkativeness.” “Must attend tutoring.”

These systems are now under scrutiny following a recent cyberattack on Illuminate Education, a leading provider of student tracking software, that affected the personal information of more than a million current and former students in dozens of counties, including New York City. Los Angeles, the nation’s largest public school system.

Officials said that in some counties, the data included names, dates of birth, race or nationality, and student test scores. At least one district said the data included more personal information such as student tardiness rates, migrant status, behavioral incidents, and descriptions of disabilities.

Disclosure of such private information may have long-term consequences.

“If you are not a good student, you had discipline problems, and this information is now available, how do you get rid of it?” said Joe Green, a cybersecurity specialist and parent of an Erie, Colorado high school student whose son’s school was hacked. “This is your future. This is going to college, getting a job. That’s it.”

Over the past decade, tech companies and education reformers have pushed schools to implement software systems that can catalog and categorize student outbursts, truancy, and learning problems. The purpose of such tools is quite prudent: to help teachers identify at-risk students and intervene in their affairs. However, as these student tracking systems proliferate, so do cyberattacks against school software providers, including a recent hack that affected Chicago Public Schoolsthe third largest region in the country.

Now, some cybersecurity and privacy experts say the cyberattack on Illuminate Education is a warning to industry and government regulators. While it wasn’t the biggest hack of an educational technology company, these experts say they are concerned about the nature and extent of the data breach, which in some cases included sensitive personal data about students or student data dating back to earlier periods. over ten years. At a time when some education technology companies have amassed sensitive information about millions of students, they say, measures to protect student data seem completely inadequate.

“It really was a massive failure,” said Hector Balderas, New Mexico Attorney General, whose office sued technology companies for violating the privacy of children and pupils.

In a recent interview with Mr. Balderas said Congress has failed to enact modern and effective data protection for students, while regulators have failed to hold tech firms accountable for violating the privacy and security of student data.

“There is absolutely a gap in enforcement and accountability. Balderas said.

The Illuminate said in a statement that it has “no evidence of actual or attempted misuse of any information” and that it has “implemented security improvements to prevent” further cyberattacks.

Nearly a decade ago, privacy and security experts began to warn that the proliferation of sophisticated data mining tools in schools was rapidly advanced protection measures for studentsPersonal data. The deputies were quick to respond.

Since 2014, California, Colorado, and dozens of other states have enacted student privacy and security laws. In 2014, dozens of K-12 education providers signed up for the national Student Privacy Commitmentpromising to support a “comprehensive security program”.

Proponents of the promise said the Federal Trade Commission, which oversees deceptive privacy practices, could force companies to honor their commitments. President Obama confirmed the promisepraising the companies participating in the FTC’s 2015 major privacy speech.

The FTC has a long history of fining companies for violating children’s privacy against consumers. services such as YouTube as well as tik tak. In spite of numerous reports or technology companies with problematic privacy as well as security practicehowever, the agency has yet to deliver on the industry’s promise of student privacy.

In May FTC announced that regulators intended to crack down on tech companies that violate a federal law, the Children’s Online Privacy Protection Act, that requires online services intended for children under 13 to protect their personal data. The agency is conducting a series of non-public investigations into technology companies, FTC spokeswoman Juliana Grunwald Henderson said.

Based in Irvine, California, Illuminate Education is one of the leading student tracking software providers in the country.

The site of the company says more than 17 million students in 5,200 school districts use its services. Popular products include an attendance system and an online textbook, as well as a school platform called education CLIMBER, this allows educators to record students’ “socio-emotional behavior” and color-code them as green (“on track”) or red (“off track”).

Illuminate promotes its cyber security. In 2016, the company announced that it had signed an industry commitment. demonstrate their “support for the defensestudent data.

Fears of a cyberattack arose in January after some teachers in New York City schools discovered that their online attendance and gradebook systems were stopped working. Illuminate said it temporarily shut down those systems after it became aware of “suspicious activity” on part of its network.

On March 25, the Illuminate notified the district that some of the company’s databases had been compromised, said Nathaniel Styer, spokesman for New York City Public Schools. The incident, he said, affected about 800,000 current and former students in about 700 local schools.

For affected New York City students, data included first and last names, school name and student ID number, and at least two of the following: date of birth, gender, race or ethnicity, native language, and grade information such as first name teachers. In some cases, the disability status of the students, i.e. whether they received special education services or not, was also raised.

New York officials they said they were angry. In 2020, Illuminate signed a strict data use agreement with the district requiring the company to protect student data and promptly notify district officials in the event of a data breach.

City officials have asked the New York City Attorney’s Office and the FBI to investigate. In May, the New York City Department of Education, which is conducting its own investigation, ordered local schools to stop using Illuminate products.

“Our students deserved a partner that focused on providing proper security, but instead their information was left at risk,” Mayor Eric Adams said in a statement to The New York Times. mr. Adams added that his administration is working with regulators “as we insist on holding the company fully accountable for not providing our students with the safety they promised.”

The Illuminate hack affected an additional 174,000 students across 22 school districts across the state, according to the New York State Department of Education, which is conducting its own investigation.

Over the past four months, the Illuminate has also notified more than a dozen other counties — in Connecticut, California, Colorado, Oklahoma, and Washington state — of the cyberattack.

The Illuminate declined to say how many school districts and students were affected. The company said in a statement that it worked with outside experts to investigate the security incident and concluded that student information was “potentially compromised” between Dec. 15 and Dec. 20. January 28, 2021 and Jan. November 8, 2022. At the time, the statement said, the Illuminate had five full-time employees involved in security operations.

illuminate stores student data in the Amazon Web Services online storage system. Cybersecurity experts say many companies have inadvertently made it easier for hackers to find their segments of AWS storage by naming databases after the company’s platforms or products.

Following the hack, Illuminate said it had hired six more full-time security and compliance officers, including a director of information security.

The company also made numerous security updates in the aftermath of the cyberattack, according to an Illuminate letter sent to a school district in Colorado. Among other changes, the letter says, Illuminate has introduced ongoing third-party monitoring of all of its AW.S products. accounts and now provides improved security for signing in to your AWS files.

But during an interview with a reporter, Greg Pollock, vice president of cyber research for UpGuard, a cybersecurity risk management firm, found one of the Illuminate AWS buckets with an easy-to-guess name. The reporter then found a second AWS bucket named after the popular Illuminate platform for schools.

The Illuminate said they could not provide details of their security practices “due to security concerns.”

After wave aboutf cyberattacks on both technology companies and public schools, education officials said it was time for Washington to intervene to protect students.

“Changes at the federal level are long overdue and could have immediate and nationwide repercussions,” he said. Steyer, spokesman for New York schools. Congress, for example, could amend federal education privacy regulations to impose data security requirements on school providers, he said. This will allow federal agencies to impose fines on companies that do not comply.

One agency has already taken tough action, but not on behalf of students.

Last year, the Securities and Exchange Commission accused Pearson, a major supplier of school evaluation software, of misleading investors about a cyberattack that stole the birth dates and email addresses of millions of students. Pearson agreed to pay $1 million to settle the charges.

mr. Attorney General Balderas said he was infuriated that financial regulators took action to protect investors in the Pearson case, even though privacy regulators failed to protect schoolchildren who were victims of cybercrime.

“My concern is that there will be bad actors who will exploit the public school environment, especially if they think the technology protocols are not very reliable,” he said. Balderas said. “And I don’t know why Congress isn’t scared yet.”