Personal data of former and current students in New York public schools is leaked after the hacking of a widely used online grading and attendance system

The New York Department of Education has confirmed that the personal information of up to 820,000 former and current students in the city’s public schools was exposed due to the cyberattack against an academic assistance firm contracted by some local governments in the U.S. According to the authorities, Illuminate Education, the affected firm, works deceptively by ensuring that all the information delivered by its clients is encrypted when some of these records are stored without any encryption.

The incident, detected in January, also led to a disruption of grading and academic attendance systems, and resulted in the exposure of sensitive student information such as:

  • Full names
  • Dates of birth
  • Ethnicity and native languages
  • Identification numbers

At the moment it is unknown if each record exposed includes all the details mentioned. Soon after, it was confirmed that threat actors also managed to extract a database that includes information on students receiving special education, support for lunch at school, and other details.

Cybersecurity specialists believe that this could be the largest security breach affecting data of students ever detected, which makes it necessary for the operators of this data to reconsider their security measures, storage and access to the personal information of users. There are approximately 930,000 students in the New York public school system.

In this regard, the company only confirmed that hackers accessed the data of 15,000 students, although they mention that the investigation is still ongoing. Nathaniel Styer, a spokesman for the New York Department of Education, criticized Illuminate’s stance and accused the company of manipulating its cybersecurity protocols: “We are outraged that Illuminate has represented schools that legitimately demand critical safeguards in the industry.”

The spokesman added that the Department of Education asked the NYPD and the Federal Bureau of Investigation (FBI) to launch an investigation into the incident and the company’s practices, as this could represent a violation of privacy and data protection laws in force in the New York territory.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.