Advertisement

Data for 820,000 New York K-12 students compromised in hack

By Calley Hair

March 26 (UPI) -- Personal data for approximately 820,000 current and former public school students in New York City was compromised in the hack of a popular online attendance system earlier this year, amounting to the biggest breach of K-12 student data in United States history.

The hack occurred in January, Education Department officials said Friday, prompting a weekslong suspension of the widely used attendance and grading systems Skedula and PupilPath platforms.

Advertisement

Through those platforms hackers may have gained access to names, ethnicities, birthdays, first languages and student ID numbers, as well as sensitive information like whether students accessed special education services or free lunch programs.

The hack affected current public school students as well as past ones dating back to the 2016-17 academic year.

"I can't think of another school district that has had a student data breach of that magnitude stemming from one incident," Doug Levin, the national director of K12 Security Information Exchange, told New York Daily News.

Skedula and PupilPath are owned by California-based company Illuminate Education.

New York City Schools Chancellor David Banks called for an investigation into Illuminate Education, urging the state's education department to look into the company's cybersecurity measures.

Advertisement

"We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not," Banks told New York Spectrum News 1. "We understand how important it is that families can trust that their child's data is protected, and we are exploring options to hold Illuminate accountable for violating that trust."

The Skedula and PupilPath shutdowns in January reportedly caused widespread headaches in public schools around the city, Chalkbeat New York reported at the time.

New York Mayor Eric Adams criticized Illuminate Education for waiting more than two months to formally alert the city of the breach.

"The formal notification of a breach of students' data by Illuminate after two months shows the company has been more concerned with protecting itself than protecting our students. This is completely unacceptable," Adams said in a statement Friday. "We will not tolerate bad actors in this city and plan to hold Illuminate fully accountable for not providing our students with the security and the timely notification the company promised."

In a statement on Saturday, Illuminate Education countered that there is "no evidence of any fraudulent or illegal activity related to this incident."

Advertisement

"The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again."

Latest Headlines