The software that many school districts use to track student progress can record highly sensitive information about children, “intellectual disabilities.” “Emotional disorder.” “Homeless.” “Rupture.” “Rebellion.” “Performer.” “Excessive conversation.” “Need to attend a tutor.”
Today, these systems are being closely monitored following a recent cyberattack on Illuminate Education, a leading provider of student tracking software. This is New York City, Los Angeles, and the largest public school system in the country.
In some districts, data include name, date of birth, race or ethnicity, and student test scores, officials said. At least one district said the data contained more detailed information such as student late rates, immigration status, behavioral incidents, and disability descriptions.
Such leakage of personal information can have long-term consequences.
“If you’re a bad student, have disciplinary action issues, and that information is currently there, how do you recover from it?” Cybersecurity expert and parent of a high school student in Erie, Colorado. One Joe Green said his son’s high school was affected by the hack. “It’s your future. It’s in college and getting a job. That’s all.”
Over the last decade, technology companies and education reformers have urged schools to adopt software systems that can catalog and classify students’ classroom explosions, absenteeism, and learning challenges. The purpose of such tools is to help educators identify and intervene at risk. However, as these student tracking systems become more widespread, cyber attacks on school software vendors are also expanding. This includes recent hacks that have been affected. Chicago Public SchoolsThe third largest district in the country.
Today, some cybersecurity and privacy experts say that a cyberattack on Illuminate Education is a warning to industry and government regulators. Although not the biggest hack for educational technology companies, these experts say they are plagued by the nature and extent of data breaches. This in some cases included sensitive personal information about the student and past student data. 10 years or more.. With some educational technology companies collecting sensitive information about millions of school children, student data protection seems to be completely inadequate, they say.
“There was a truly epic failure,” said Hector Balderas, New Mexico’s Attorney General. His office has sued tech companies for violating the privacy of children and students.
In a recent interview, Balderas failed to enact modern and meaningful data protection for students, but regulators hold education technology companies responsible for ignoring student data privacy and security. Said he didn’t.
“There is definitely a gap between enforcement and accountability,” said Valderas.
In a statement, Illuminate stated that “there was no evidence that the information was the subject of actual or attempted misuse” and that it “implemented security enhancements to prevent further cyberattacks.”
Almost a decade ago, privacy and security experts began warning that the proliferation of advanced data mining tools in schools was rapidly outpacing the protection of student personal information. The lawmakers hurriedly replied.
Since 2014, California, Colorado, and dozens of other states have passed legislation on student data privacy and security. In 2014, dozens of kindergarten to high school education and engineering providers signed nationwide. Student privacy pledgeWe promise to maintain a “comprehensive security program”.
Proponents of the pledge said the Federal Trade Commission, which cracks down on deceptive privacy practices, could bind businesses to their promises.President Obama Approve the pledgePraises participating companies in major privacy speeches at FTC in 2015.
FTC has a long history of punishing companies that invade children’s privacy with consumer services such as YouTube and TikTok.apart from Numerous reports Educational technology companies with privacy issues Security practicesHowever, the agency has not yet implemented a privacy pledge for students in the industry.
May, FTC publication Regulators intended to crack down on educational technology companies that violate federal law (Children’s Online Privacy Protection Act), which requires online services for children under the age of 13 to protect personal data. FTC spokeswoman Juliana Grünwald Henderson said the agency is conducting a number of private investigations into educational technology companies.
Based in Irvine, California, Illuminate Education is one of the leading vendors of student tracking software in the country.
The Company site The service is said to reach more than 17 million students in 5,200 school districts.Popular products include attendance systems, online gradebooks, and a school platform called eduCLIMBER, This allows the educator to record the student’s “social and emotional behavior” and color-code the child as green (“on track”) or red (“not on track”).
Illuminate promotes cyber security. In 2016, the company announced that it had signed an industry pledge. To show that “support for protection”“Student data.
Concerns about cyberattacks arose in January after some teachers at a New York City school discovered that their online attendance and report card system had stopped working. Illuminate said it temporarily took these systems offline after recognizing “suspicious activity” on some parts of the network.
Nathaniel Steer, a spokesman for New York City Public School, said on March 25 that Illuminate had informed the district that certain corporate databases were subject to unauthorized access. He said the incident affected about 800,000 current and ex-students in about 700 local schools.
Affected New York City student data includes first and last name, school name, student ID number, and at least two class information such as date of birth, gender, race or ethnicity, native language, and teacher name. Was there. In some cases, the student’s disability status, that is, whether they received special education services, was also affected.
New York City Officials They said they were indignant.. In 2020, Illuminate entered into a strict data contract with the school district, requiring the company to protect student data and notify school district staff immediately in the event of a data breach.
City officials have asked the Attorney General of New York and the FBI to investigate. In May, the New York City Education Department, which is conducting its own research, instructed local schools to stop using Illuminate products.
“Our students deserved a partner focused on ensuring proper security, but instead their information was at stake,” Mayor Eric Adams told The New York Times. Said in a statement. Adams added that his administration was working with regulatory agencies.
Illuminated hacks affected an additional 174,000 students in 22 school districts throughout the state, according to the New York State Department of Education, which conducts its own research.
Over the past four months, Illuminate has also notified more than 12 other districts in Connecticut, California, Colorado, Oklahoma, and Washington about cyberattacks.
Illuminate did not state the number of school districts and students affected. In a statement, the company worked with outside experts to investigate security incidents, and between December 28, 2021 and January 8, 2022, student information was “potentially compromised.” He said he concluded. According to the statement, Illuminate had five full-time employees dedicated to security operations.
To clarify Hold student data Amazon Web Services online storage system. According to cybersecurity experts, many companies make it easier for hackers to find AWS storage buckets by naming databases after their platform or product.
In the wake of the hack, Illuminate said it hired six additional full-time security and compliance employees, including the Chief Information Security Officer.
According to Illuminate’s letter sent to the Colorado school district, the company also made a number of security upgrades after the cyberattack. According to the letter, among other changes, Illuminate has begun continuous third-party monitoring at all AW.S. We have created an account to enhance login security for AWS files.
However, during an interview with a reporter, Greg Pollock, vice president of cyber research at cybersecurity risk management firm UpGuard, found one of Illuminate’s AWS buckets with an easy-to-guess name. The reporter found a second AWS bucket named after the school’s popular Illuminate platform.
Illuminate said it cannot provide details about security practices “for security reasons”.
rear One after another oRegarding cyber attacks on both educational technology companies and public schools, education officials said it was time for Washington to intervene to protect students.
Styer, a New York City school spokesman, said: For example, Congress could amend federal education privacy rules to impose data security requirements on school vendors, he said. This allows federal agencies to fine companies that do not comply.
Some institutions are already cracking down, but not on behalf of students.
Last year, the Securities and Exchange Commission told Pearson, a leading provider of evaluation software for schools. Misunderstanding Investor About cyber attacks where millions of students’ dates of birth and email addresses were stolen. Pearson has agreed to pay $ 1 million to resolve the claim.
Attorney General Valderas is angry that financial regulators have acted to protect investors in the Pearson case, even if privacy regulators could not be strengthened because of schoolchildren victims of cybercrime. Said that.
“My concern is that there are malicious people who abuse the public school environment, especially if they think the technology protocol is not very robust,” said Valderas. “And I don’t know why Congress isn’t afraid yet.”
