Personal data of 820,000 NYC students compromised in hack
The personal data of about 820,000 current and former New York City public school students was compromised in a January hack.
The breach of Illuminate, a taxpayer-funded software company the city’s Department of Education uses to track grades and attendance, resulted in a hacker gaining access to students’ names, birthdays, ethnicities and English-speaking, special-education and free-lunch statuses, sources said.
The students’ social security numbers and family financial information were not collected by the DOE and were not compromised, according to the sources.
Education officials on Friday accused Illuminate of failing to encrypt its IO Classroom, Skedula and Pupilpath platforms.
“We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not,” Chancellor David Banks told The Post, while calling for city, state and federal investigations.
The DOE said it would send letters to families affected by the breach. The information compromised in the hack dated back to the 2016-17 school year, officials said.
The department will also investigate Illuminate’s claim that it had increased safeguards.
Schools could continue using the California company’s services until the end of the year before re-evaluating its contracts for the 2022-23 school year, according to sources.
Bobson Wong, a math teacher at a high school in Queens who frequently uses Skedula to connect with parents, said he needed to continue using the platform unless provided with another option.
“I don’t like using it, but I have to use it. I don’t really have a choice,” he said.
The hacked platforms forced the school to be without its grading and attendance systems for a week in January, causing teachers to lose track of which kids were exposed to COVID-19.
“When Skedula went down, my students’ grades went down,” Wong said. “My students’ homework completion went down by 20 to 30 percent.”
Leonie Haimson, who co-chairs the Parent Coalition for Student Privacy, told The Post her organization was concerned that the release of students’ sensitive information could negatively affect their futures.
Advocates have been “haggling” with the city and state education departments for years about student privacy, she said.
“My feeling about this is that if the DOE is truly taking this seriously, as they should, they should both fine this vendor to the maximum amount … and cut off contracts with them,” Haimson said.
“This is a real watershed moment for the DOE, and actually the state education department, to prove that they’re serious about protecting student privacy,” she continued — and if they don’t, “They will have proven that they’re not responsible guardians of our children’s privacy.”
Illuminate has raked in more than $16 million from DOE schools in the last three years, records show.
The company was also linked to a scandal over ex-Chancellor Richard Carranza’s hiring of a former vice president of Illuminate who had failed to divest from his former company when he took a $205,000-a-year city job in 2018.
“There is no evidence of any fraudulent or illegal activity related to this incident,” Illuminate said in a statement.
“The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.”
But for families whose private information could fall into the wrong hands, news of the hack left them nervous for its repercussions.
Ellen McHugh, who co-heads the Citywide Council of Special Education, wondered what the breach entailed for students whose disability status could’ve been accessed.
“It’s the stuff that makes your stomach churn,” Hugh said.
The Big Apple public school district is the nation’s largest, with approximately 1.1 students enrolled across the boroughs.
Mayor Eric Adams said in a statement that New York City “will not tolerate bad actors.”
“[We] plan to hold Illuminate fully accountable for not providing our students with the security and timely notification the company promised,” Adams said.