NYC Dept of Ed Bans Use of “Illuminate” Software Following Enormous Data Breach
By: Hadassa Kalatizadeh
A massive data breach, which affected roughly 820,000 public school students in New York City, has led the department of education to nix the use of certain software in schools.
As reported by the NY Post, this week school principals across the city were asking to stop using Illuminate Education products and services, effective at the end of the school year. This widely used, third-party vendor provides platforms for grades, attendance and messaging. In March, the schools publicly announced that hackers were able to obtain access to student information including names, birthdays, ethnicities, disabilities and more. Schools were told they could still use the services till the end of the year, when the contracts would be re-evaluated.
First Deputy Chancellor Dan Weisberg told school administrators that the DOE was “investigating and gathering more information to understand how the incident happened and whether we can continue to use Illuminate’s products and services.” The result of that investigation was to ban use of the software moving forward. DOE officials ultimately accused Illuminate of failing to encrypt its systems.
“We do not take this step lightly because we understand that this is going to create some disruption and challenge for some schools and families,” Weisberg wrote, “and I want to be clear: DOE made this decision after extensive investigation and deliberation, and based on our deep commitment to protecting the privacy of our families and students.”
The first suspicion as to a possible data breach was in January, when three Illuminate products widely used in NYC public schools–Skedula, Pupil Path and IO Classroom — experienced data outages. The data service system outage lasted for a week. Illuminate said at the time that it appeared to be “the result of an attempted security incident.” As of early May, state data estimates that about 2 million students in the state were impacted by the breach, including students at charter schools. There were more than 24 school districts and 18 charter schools known to have been impacted. As per the Post, Illuminate has raked in over $16 million from DOE schools over the last three years.
“There needs to be much more rigorous screening of use of these products,” said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, “and there has to be a real effort to minimize the data accessed by Illuminate — and all products — and the data deleted when it’s no longer used.” Haimson had added, “We should not be finding this out from newspaper articles or trade journals,” she said. “There should be consistent messaging from the state and the city giving us updates on everything they know, and I don’t see that happening either.”
This spring, the DOE launched its own alternative to the Illuminate products. It also informed school heads that it would come up with an approved list of vendors with similar products which ideally could be ready for use by early this summer, education officials told the Post.