The Federal Trade Commission announced this month plans to  over a massive 2021 data breach. The move added to a long list of government actions against the firm since hackers broke into its systems and made off with the sensitive information of more than 10 million students.

Three state attorneys general have also now imposed fines and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach.

The in their efforts to hold Illuminate accountable are parents and students.

Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data 鈥� including grades, special education information and medical records 鈥� didn鈥檛 constitute a concrete harm.

In the news

The latest in President Donald Trump鈥檚 immigration crackdown: In many cities across the country, from New Orleans to Minneapolis, resisting federal immigration enforcement means keeping kids in school. | 

• Trump鈥檚 mass deportation effort has had a particularly damaging effect on the child care industry, which is heavily reliant on immigrant preschool teachers 鈥� most of them working in the U.S. legally 鈥� who have found themselves 鈥渨racked by anxiety over possible encounters with ICE.鈥� | 
  
• 鈥楥ulture of fear鈥�: Immigrant students across the country have increasingly found themselves targets of bullying since the beginning of Trump鈥檚 second term, according to a new survey of high school principals. | 

A Kansas middle school will no longer assign Chromebooks to each student: Computers have had 鈥渁 wonderful place in education,鈥� the school鈥檚 principal said. But schools have 鈥渟imply immersed students too much in technology.鈥� | 

A Florida middle school went into lockdown after an automated threat detection system was triggered by a clarinet. A student was walking in the hallway 鈥渉olding a musical instrument as if it were a weapon.鈥� |

鈥楪ot what he deserved鈥�: A California teacher has filed a federal First Amendment lawsuit against her school after she was suspended for a Facebook post calling right-wing political activist and Turning Point USA founder Charlie Kirk a 鈥減ropaganda-spewing racist misogynist鈥� a day after he was murdered. | 

• In Florida, two teachers have filed separate First Amendment lawsuits after they were punished for social media posts critical of Kirk after his death. | 
  
• Texas Gov. Gregg Abbott announced a partnership with Turning Point USA to create local chapters of the group at every high school campus in the state, vowing “meaningful disciplinary action鈥� against any educators who stand in the way. | 
  
• Kirk鈥檚 wife, Erika Kirk, will field questions from 鈥測oung evangelicals, prominent religious leaders and figures across the political spectrum鈥� during a live town hall Saturday on CBS News moderated by its new editor-in-chief, Bari Weiss. | 
  
• ICYMI: The Trump administration鈥檚 First Amendment crackdown in the wake of the activist鈥檚 violent death has left student free speech on even shakier ground. | 

Following a shakeup in its ranks by vaccine skeptic and Health and Human Services Secretary Robert F. Kennedy Jr., a Centers for Disease Control and Prevention advisory committee voted to overturn a decades-long recommendation that newborn babies be immunized for hepatitis B 鈥� a policy credited with decimating the highly contagious virus in infants. | 

• A measles outbreak in South Carolina schools is accelerating, with some unvaccinated students in a second 21-day quarantine since the beginning of the academic year. |   

A photo that circulated online depicted California high school students lying in the shape of a swastika on the grass of a football field. Chaos ensued. | 

鈥業t feels nasty. It’s gross.鈥�: Controversy has come to a head at a California high school after an adult film producer rented out the campus gym for a raunchy livestream. 鈥淭he first thing I see is a full-grown adult, an adult man wearing a baby costume and being fed milk from a baby bottle,鈥� one student observer noted. | 

Two Texas teenagers allegedly conspired to carry out a school shooting at their high school but the plot was thwarted after classmates reported text messages with their plans to school police. 鈥淒on鈥檛 come to school on Monday,鈥� one of the messages warned. | 

ICYMI @The74

Emotional Support

Three state attorneys general have also now imposed penalties and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach. 

The ones that haven鈥檛 made progress in their efforts to hold Illuminate accountable are parents and students. Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data 鈥� including grades, special education information and medical records 鈥� didn鈥檛 constitute a concrete harm.

The federal appeals court of a proposed class-action lawsuit filed by families whose children鈥檚 information was compromised. The court concluded the plaintiffs lacked standing because they did not demonstrate actual damage from the breach or an 鈥渋mminent and substantial鈥� risk of future identity theft. In the years since the cyberattack was carried out, the court concluded, there was no evidence that the records, which did not include Social Security numbers, had been misused to commit identity theft. 

鈥淚t has been more than three years since the breach,鈥� the court wrote, 鈥渁nd no fraud has occurred, nor is the kind of information at issue the kind that this court normally considers sufficient to find a credible threat of identity theft.鈥� 

Under announced by the FTC this month, Illuminate will be required to create a 鈥渃omprehensive information security program,鈥� delete any student data it is no longer using and notify the commission of any future data breaches. Regulators allege a third-party company hired by Illuminate to assess its cybersecurity safeguards raised red flags but Illuminate failed to heed those warnings a year before it was hacked using the compromised credentials of a former employee.

鈥淚lluminate pledged to secure and protect personal information about children and failed to do so,鈥� Christopher Mufarrige, director of the FTC鈥檚 Bureau of Consumer Protection, said in a media release this month. The FTC action, Mufarrige continued, should serve as a warning to other companies that the commission 鈥渨ill hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children鈥檚 medical diagnoses and other personal data.鈥�

After the data breach, which affected the country鈥檚 two largest school districts in New York City and Los Angeles among others, Illuminate was by another education technology company, in 2022. Since then, a Renaissance spokesperson said in a statement to 社区黑料 this week, Illuminate products have been incorporated into its 鈥渃ybersecurity and data protection program.鈥� 

鈥渞obust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators and families,鈥� the spokesperson said.

The FTC action comes on the heels of last month, when state attorneys general in California, Connecticut and New York secured a combined $5.1 million in penalties from Illuminate, along with cybersecurity requirements that resemble the FTC鈥檚 demands. State investigators similarly alleged sweeping security flaws at the company, including the failure to monitor suspicious activity and deactivate the inactive user accounts of former employees. 

A California Department of Justice that Illuminate made 鈥渇alse and misleading statements鈥� about its cybersecurity safeguards in its privacy policy and 鈥渄eceptively advertised鈥� to school districts that it was a signatory of the nonprofit Future of Privacy Forum鈥檚 now-defunct 鈥淪tudent Privacy Pledge.鈥� 

The voluntary pledge, , sought to hold education technology companies accountable for maintaining 鈥渁 comprehensive security program鈥� to protect students鈥� personal information and to prevent the sale of student records for targeted advertising. 

Illuminate became the first ed tech company to get booted from the pledge after reporting by 社区黑料 called into question its utility in holding tech firms accountable for failing to meet its provisions. 

The multistate Connecticut regulators reached a settlement under its state student data privacy law 鈥� which was enacted nearly a decade ago. 

鈥淭echnology is everywhere in schools today, and Connecticut鈥檚 Student Data Privacy Law requires strict security to protect children鈥檚 information,鈥� Connecticut Attorney General William Tong said in a statement. The settlement 鈥渉olds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.鈥�

In response to an inquiry by 社区黑料, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥� status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data. 

鈥淲e are reviewing the details of Raptor Technologies鈥� leak to determine if the company has violated its Pledge commitments,鈥� David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥� 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥� government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥� that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥� withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥� has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥� he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler鈥檚 audit. 

鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥� like an active shooting, Fowler said in an interview with 社区黑料. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌��

David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥� 

鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥� Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥� 

鈥楳aybe this is a pattern鈥�

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students鈥� personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥� of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥� 

Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥� The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥� including encryption 鈥渂oth at rest and in-transit,鈥� meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥� measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥� 

Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor鈥檚 claims that data were encrypted, Fowler told 社区黑料 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥� adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥� 鈥渆xcept maybe it wasn鈥檛.鈥� 

A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥�

鈥淗ow can educators know if a company is taking security seriously?鈥� Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥� 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥� and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 社区黑料 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥� Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥� 

鈥楽weep it under the rug鈥�

The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum鈥檚 decision to remove Illuminate followed an article in 社区黑料, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥� and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥� It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥� in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 社区黑料 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥� that protects students鈥� sensitive information鈥� and to 鈥渃omply with applicable laws,鈥� including New York鈥檚  鈥渆xplicit data encryption requirement.鈥� 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar. 

Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 社区黑料 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥� that can be quickly brushed aside. 

鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥� he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥� a little bit of bad press and you just sweep it under the rug and move on.鈥� 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has 鈥渁 great deal of admiration鈥� for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥� when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥� he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌��  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.

Embattled education technology vendor Illuminate Education has become the first-ever company to get booted from the Student Privacy Pledge, an unprecedented move that follows a massive data breach affecting millions of students and allegations the company misrepresented its security safeguards. 

The Future of Privacy Forum, which created the self-regulatory effort nearly a decade ago to promote ethical student data practices by education technology companies, announced on Monday it had stripped Illuminate of its pledge signatory designation and referred the company to the Federal Trade Commission and state attorneys general in New York and California, where the biggest breaches occurred, to 鈥渃onsider further appropriate action,鈥� including sanctions. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information while鈥� it was being stored or transferred from one system to another, forum CEO Jules Polonetsky said in a statement. He said the decision to de-list Illuminate came after a review including 鈥渄irect outreach鈥� to the company, which 鈥渨ould not state鈥� that such privacy practices had been in place.

 鈥淪uch a failure to encrypt would violate several pledge provisions,鈥� Polonetsky said, including a commitment to 鈥渕aintain a comprehensive security program鈥� to protect students鈥� sensitive information and to 鈥渃omply with applicable laws,鈥� including an 鈥渆xplicit data encryption requirement鈥� in New York.

Encryption is the cybersecurity practice of scrambling readable data into an unusable format to prevent bad actors from understanding it without a key. Amazon Web Services to store student data on accounts that were easy to identify. 

Through the voluntary pledge, have agreed to to protect students鈥� online privacy. Though the privacy forum maintains that the pledge is legally binding and can be enforced by federal and state regulators, the move against Illuminate marks a dramatic shift in enforcement. The extent of the Illuminate breach remains unclear, encompasses districts in six states affecting an . 

Illuminate Education spokesperson Jane Snyder said the company is disappointed in the privacy forum鈥檚 decision, but it 鈥渨ill not detract from our commitment to safeguard the privacy of all student data in our care.鈥� The privately held company founded in 2009 claims some 5,000 schools serving 17 million students use its tools.

鈥淲e will continue to monitor and enhance the security of our systems, and we will continue to work with students and school districts to resolve any concerns related to this matter while prioritizing the privacy and protection of the data we maintain,鈥� Snyder said in a statement.

In a recent article in 社区黑料, student privacy experts criticized the Big Tech-funded privacy forum for failing to sanction companies that break the agreement terms. 

The action taken against Illuminate comes just three months after the Federal Trade Commission announced efforts to ramp up enforcement of federal student privacy protections, including against companies that sell student data for targeted advertising and that lack reasonable systems 鈥渢o maintain the confidentiality, security and integrity of children鈥檚 personal information.鈥� 

The privacy forum maintains that the Federal Trade Commission and state attorneys general can hold companies accountable to their pledge commitments via consumer protection rules that prohibit unfair and deceptive business practices, but such action has never been taken. Education companies have long used the pledge as a marketing tool and the privacy forum has touted it as an assurance to schools as they shop for new technology. 

Signs of a data breach at California-based Illuminate first emerged in January when several of its popular digital tools, including programs used in New York City to track students鈥� grades and attendance, went dark. City officials announced in March that the personal data of some 820,000 current and former students had been compromised. Outside New York City, home to America鈥檚 largest school district, state officials said the breach affected an additional 174,000 students across the state. Student information in Los Angeles, the country鈥檚 second-largest school district, was also breached. 

Compromised data includes information about students鈥� eligibility for special education services and free or reduced-price lunch, their names, demographic information, immigration status and disciplinary records. 

New York City officials have accused Illuminate of misrepresenting its security safeguards and instructed educators to stop using its tools. New York State Education Department officials are investigating whether the company鈥檚 security practices run afoul of state law, which requires education vendors to maintain 鈥渞easonable鈥� data security safeguards and to notify schools about data breaches 鈥渋n the most expedient way possible and without unreasonable delay.鈥� 

School districts in California, Colorado, Connecticut, Oklahoma and Washington have since that their personal information was compromised in the breach. Illuminate Education has never said how many people were affected by the lapse while at the that it has 鈥渘o evidence that any information was subject to actual or attempted misuse.鈥� 

鈥淔PF believes that the privacy and security of students鈥� information is essential,鈥� Polonetsky said in the statement, declining to comment further. 鈥淭o help ed tech companies better protect student data, we will be providing training for Pledge signatories, with a specific focus on data governance and security.鈥�

For years, critics have accused the pledge of providing educators and parents with a false affirmation about the safety of education technology while being a tech-funded effort to thwart meaningful government regulation. 

The privacy forum鈥檚 decision to yank Illuminate doesn鈥檛 suggest stronger pledge enforcement going forward, said Doug Levin, the national director of The K12 Security Information eXchange. Rather, he accused the privacy forum of acting more in response to media coverage than a desire to hold companies to their promises.

鈥淭he only time that the Future of Privacy Forum has considered de-listing an organization is when the practices of a company have come under the attention of national media,鈥� he said, adding that the press is an insufficient tool to hold tech companies accountable. 鈥淚 think this is a case where [the privacy forum] was looking at collateral reputational damage and damage to the pledge and they had to act to protect their own self-interests and the interests of other pledge members. I do not read it as a signal that enforcement of the pledge will be enhanced going forward.鈥�

Meanwhile, Levin sees Illuminate鈥檚 unwillingness to discuss its security practices with the privacy forum as another reason to believe the company acted negligently.

Illuminate is 鈥渃learly in legal jeopardy and I think they are concerned about making statements that could be used in a legal context to hold them accountable,鈥� Levin said.

Still, the privacy forum鈥檚 decision to remove Illuminate raises the stakes from its previous enforcement efforts, most notably against the College Board, a nonprofit that administers the widely used SAT college admissions exam. In 2018, the privacy forum placed the nonprofit鈥檚 after found it was selling student data to third parties. The College Board was reinstated as an active pledge signatory a year later. It remains , despite a 2020 investigation by Consumer Reports that uncovered it was sending student data to major digital advertising platforms.

While some have argued that the College Board should have been removed from the pledge, the privacy forum has previously resisted efforts to de-list signatories. When the group learns about complaints against pledge signatories, it typically works with companies to resolve issues and ensure compliance, according to . 

Removing companies from the pledge, the post argued 鈥渃ould result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge鈥檚 promises for future activities.鈥�

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.

Since that disclosure in New York City schools, the scope of the breach has only grown, with districts in six states announcing that some had become victims. Illuminate has never disclosed the full extent of the blunder, even as critics decry significant harm to kids and security experts question why the company is being handed awards instead of getting slapped with sanctions. 

Amid demands that Illuminate be held accountable for the breach 鈥� and for allegations that it misrepresented its security safeguards 鈥� the company could soon face unprecedented discipline for violating , a self-regulatory effort by Big Tech to police shady business practices. In response to inquiries by 社区黑料, the Future of Privacy Forum, a think tank and co-creator of the pledge, disclosed Tuesday that Illuminate could soon get the boot.

Forum CEO Jules Polonetsky said his group will decide within a month whether to revoke Illuminate鈥檚 status as a pledge signatory and refer the matter to state and federal regulators, including the Federal Trade Commission, for possible sanctions. 

鈥淲e have been reviewing the deeply concerning circumstances of the breach and apparent violations of Illuminate Education鈥檚 pledge commitments,鈥� Polonetsky said in a statement to 社区黑料. 

Illuminate did not respond to interview requests. 

In a twist, the pledge was co-created by the Software and Information Industry Association, the trade group that last month as being  among 鈥渢he best of the best鈥� in education technology. The pledge, created nearly a decade ago, is designed to ensure that education technology vendors are ethical stewards of kids鈥� most sensitive data. Its staunchest critics have assailed the pledge as being toothless 鈥� if not an outright effort to thwart meaningful government regulation. Now, they are questioning whether its response to the massive Illuminate breach will be any different. 

鈥淚 have never seen anybody get anything more than a slap on the wrist from the actual people controlling the pledge,鈥� said Bill FItzgerald, an independent privacy researcher. Taking action against Illuminate, he said, 鈥渨ould break the pledge鈥檚 pretty perfect record for not actually enforcing any kind of sanctions against bad actors.鈥�

Through the voluntary pledge, launched in 2014, hundreds of education technology companies have agreed to a slate of safety measures to protect students鈥� online privacy. Pledge signatories, , they will not sell student data to third parties or use the information for targeted advertising. Companies that sign the commitment also agree to 鈥渕aintain a comprehensive security program鈥� to protect students鈥� personal information from data breaches. 

The privacy forum, which is , has long maintained that the and offers assurances to school districts as they shop for new technology. In the absence of a federal consumer privacy law, the forum argues the pledge grants 鈥渁n important and unique means for privacy enforcement,鈥� giving the Federal Trade Commission and state attorneys general an outlet to hold education technology companies accountable via consumer protection rules that prohibit unfair and deceptive business practices. 

For years, critics of providing educators and parents false assurances that a given product is safe, than a pinky promise. Meanwhile, schools and technology companies have become increasingly entangled 鈥� particularly during the pandemic. As districts across the globe rushed to create digital classrooms, few governments checked to make sure the tech products officials endorsed were safe for children, by the Human Rights Watch. Shoddy student data practices by leading tech vendors, the group found, were rampant. Of the 164 tools analyzed, 89 percent 鈥渆ngaged in data practices that put children鈥檚 rights at risk,鈥� with a majority giving student records to advertisers.

As companies suck up a mind-boggling amount of student information, a lack of meaningful enforcement has let tech companies off the hook for violating students鈥� privacy rights, said Hye Jung Han, a Human Rights Watch researcher focused on children. As a result, she said, students whose schools require them to use certain digital tools are being forced to 鈥済ive up their privacy in order to learn.鈥� Paired with large-scale data breaches, like the one at illuminate, she said students鈥� sensitive records could be misused for years. 

鈥淐hildren, as we know, are more susceptible to manipulation based on what they see online,鈥� she said. 鈥淪o suddenly the information that鈥檚 collected about them in the classroom is being used to determine the kinds of content and the kinds of advertising that they see elsewhere on the internet. It can absolutely start influencing their worldviews.鈥�

But the regulatory environment under the Biden administration may be entering a new, more aggressive era. The Federal Trade Commission announced in May that it would scale up enforcement on education technology companies that sell student data for targeted advertising and that 鈥渋llegally surveil children when they go online to learn.鈥� Even absent a data breach like the one at Illuminate, the commission wrote in a policy statement, education technology providers violate the if they lack reasonable systems 鈥渢o maintain the confidentiality, security and integrity of children鈥檚 personal information.鈥� 

The FTC  declined to comment for this article. Jeff Joseph, president of the Software and Information Industry Association, said its recent awards were based on narrow criteria and judges 鈥渨ould not be expected to be aware of the breach unless the company disclosed it during the demos.鈥� News of the breach was . 

The trade group 鈥渢akes the privacy and security of student data seriously,鈥� Joseph said in a statement, adding that the Future of Privacy Forum 鈥渕aintains the day-to-day management of the pledge.鈥� 

鈥楢bsolutely concerning鈥�

Concerns of a data breach at California-based Illuminate in January when several of the privately held company鈥檚 popular digital tools, including programs used in New York City to track students鈥� grades and attendance, went dark. 

Yet it that city leaders announced that the personal data of some 820,000 current and former students 鈥� including their eligibility for special education services and for free or reduced-price lunches 鈥� had been compromised in a data breach. In disclosing the breach, city education officials of misrepresenting its security safeguards. The Department of Education, which over the last three years, to stop using the company鈥檚 tools. 

A month later, officials at the New York State Education Department launched an investigation into whether the company鈥檚 data security practices ran afoul of state law, department officials said. Under the law, education vendors are required to maintain 鈥渞easonable鈥� data security safeguards and must notify schools about data breaches 鈥渋n the most expedient way possible and without unreasonable delay.鈥� 

Outside New York City, state officials said the breach affected about 174,000 additional students across the state.

Doug Levin, the national director of The K12 Security Information eXchange, said the state should issue 鈥渁 significant fine鈥� to Illuminate for misrepresenting its security protocols to educators. Sanctions, he said, would 鈥渟end a strong and very important signal that not only must you ensure that you have reasonable security in place, but if you say you do and you don’t, you will be penalized.鈥� 

Meanwhile, Illuminate has since become the subject of two federal class-action lawsuits in New York and California, including one that alleges that students鈥� sensitive information 鈥渋s now an open book in the hands of unknown crooks鈥� and is likely being sold on the dark web 鈥渇or nefarious and mischievous ends.鈥� 

Plaintiff attorney Gary Graifman said that litigation is crucial for consumers because state attorneys general are often too busy to hold companies accountable. 

鈥淭here鈥檚 got to be some avenue of interdiction that occurs so that companies adhere to policies that guarantee people their private information will be secured,鈥� he said. 鈥淥bviously if there is strong federal legislation that occurs in the future, maybe that would be helpful, but right now that is not the case.鈥�

School districts in California, Colorado, Connecticut, Oklahoma and Washington have since disclosed to current and former students that their personal information had been compromised in the breach. But the full extent remains unknown because 鈥淚lluminate has been the opposite of forthcoming about what has occurred,鈥� Levin said. 

companies to disclose data breaches to the public. Some 5,000 schools serving 17 million students use Illuminate tools, according to the company, which was founded in 2009.

鈥淲e now know that millions of students have been affected by this incident, from coast to coast in some of the largest school districts in the nation,鈥� including in New York City and Los Angeles, Levin said. 鈥淭hat is absolutely concerning, and I think it shines a light on the role of school vendors,鈥� who are a significant source of education data breaches. 

Nobody, , can guarantee that their cybersecurity infrastructure will hold up against motivated hackers, Levin said, but Illuminate鈥檚 failure to disclose the extent of the breach raises a major red flag. 

鈥淭he longer that Illuminate does not come clean with what鈥檚 happened, the worse it looks,鈥� he said. 鈥淚t suggests that this was maybe leaning on the side of negligence versus them being an unfortunate victim.鈥�

鈥楢 public relations tool鈥�

When six years ago, it acknowledged the importance of protecting students鈥� data and said it offered a 鈥渟ecure online environment with data privacy securely in place.鈥� , Illuminate touts an 鈥渦nwavering commitment to student data privacy,鈥� and offers a link to the pledge. 

鈥淏y signing this pledge,鈥� the company wrote in a 2016 blog post, 鈥渨e are making a commitment to continue doing what we have already been doing from the beginning 鈥� promoting that student data be safeguarded and used for encouraging student and educator success.鈥� 

Some pledge critics have accused tech companies of using it as a marketing tool. In 2018, argued that pledge noncompliance was rampant and accused it of being 鈥渁 mirage鈥� that offered comfort to consumers 鈥渨hile providing little actual benefit.鈥� 

鈥淭he pledge may be more valuable as a public relations tool than as a means of actually effecting 鈥� or reflecting 鈥� industry improvements,鈥� according to the report. Gaps between the pledge鈥檚 public declarations and companies business practices, it concluded, 鈥渋s likely to mislead consumers.鈥� 

In 2015, a software researcher found a large share of pledge signatories infrastructure to guard student data from hackers. Three years later, The New York Times published , a nonprofit that administers the widely used SAT college admissions exam. College Board, the report exposed, was selling student data to third parties in violation of the privacy pledge. In response, the College Board鈥檚 status as a pledge signatory had been placed 鈥渦nder review,鈥� but as an active signatory a year later. The College Board, it said in a press release, had committed to changing its business practices. 

Still, in 2020 found the College Board was sending student data to major digital advertising platforms, including those operated by Microsoft and Google. The College Board, . 

The nonprofit is 鈥渞esolute in protecting student data privacy,鈥� a spokesperson said in a statement. 鈥淥rganizations that receive data from College Board, such as high schools, districts, colleges, universities, and scholarship organizations, must adhere to strict guidelines when using that data.鈥�

Some critics have argued the College Board should have been removed from the pledge, but the Future of Privacy Forum has held that taking such action against signatories could do more harm than good. When the forum becomes aware of a complaint against a pledge signatory, it typically works with the company to resolve issues and ensure compliance, . The think tank argued it鈥檚 best to work with noncompliant companies to improve their business practices rather than exile them from the pledge outright. Removing companies 鈥渃ould result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge鈥檚 promises for future activities.鈥� 

Attorney Amelia Vance, a former privacy forum employee and the founder and president of Public Interest Privacy Consulting, said the pledge has nudged education technology companies to change their business practices to ensure they鈥檙e following its provisions. 

鈥淚 almost always thought of it as a way to make companies better and more aware of student privacy than something to be enforced with specific teeth,鈥� said Vance, who declined to comment on whether Illuminate should be removed. 鈥淎fter all, the Federal Trade Commission and state [attorneys general] are the ones who really have the enforcement powers here.鈥�

But self-policing efforts, like the pledge, are 鈥渙nly as effective as the enforcement,鈥� said Levin, the school security expert. Otherwise, it can only serve as 鈥渁 nice window dressing鈥� for Big Tech efforts to fend off stricter state and federal regulations 鈥� provisions he said must be strengthened. 

At a minimum, he said the privacy forum should disclose companies that have been credibly accused of violating the pledge and to conduct investigations. If they find a company out of compliance, he said 鈥渋t鈥檚 not clear to me that they should be allowed to re-sign the pledge.鈥�

鈥淚f I were another signatory of the pledge, I would be quite concerned about whether or not the value of that pledge is being diminished鈥� by including companies that violate its provisions, he said. 鈥淚f it鈥檚 going to serve its purpose, there needs to be some policing.鈥�

But to Fitzgerald, the privacy researcher, the forum鈥檚 failure to take action against bad actors has long rendered the pledge useless. 

鈥淚t鈥檚 not like the pledge finally doing what the pledge should have been doing five years ago would make a difference,鈥� he said. 鈥淚t鈥檚 never too late to start鈥� removing companies that violate its provisions, he said, but 鈥渢he fact that it hasn鈥檛 happened yet seems to indicate that it鈥檚 not going to happen.鈥� 

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料

Now it appears that district technology leaders have applied that logic to computer hacks. That鈥檚 according to Doug Levin, the national director of The , who has spent years chronicling computer hacks on school districts and education technology vendors. Data breaches are a significant and growing threat to schools, he said, yet many district IT officials are hesitant to discuss them. 

鈥淨uietly they might confess that this is an issue they lose a lot of sleep over, but they never talk about it publicly, often for fear of looking bad,鈥� said Levin, whose nonprofit group provides threat intelligence to school districts to protect them from emerging cybersecurity risks. 

Now, an increasing number of school districts have been forced to notify students and parents that they鈥檝e been duped. In March, New York City Public Schools, the country鈥檚 largest district, disclosed that the had been exposed online. The data breach, the largest such incident against a single school district in U.S. history, has since reached far beyond the five boroughs. Other school districts 鈥� California, Colorado, Connecticut, Oklahoma and New York 鈥� have since acknowledged being victims. 

At the center of the debacle is that helps more than 5,200 school districts track student attendance and grades, among other metrics. Students鈥� personal information, some of it sensitive, was exposed when hackers breached Illuminate鈥檚 servers in January. students鈥� names, birth dates, class schedules, behavioral records and whether they qualify for special education or free or reduced-price lunches. 

Yet months later, many key details 鈥� including the number of districts affected 鈥� remain unknown. The company did not respond to requests for comment from 社区黑料. 

In New York, state education officials into Illuminate, which city officials accused of misrepresenting its security safeguards. 

To gain a better understanding of the hack, 社区黑料 caught up with Levin to discuss how the high-profile data breach occurred, why many critical pieces of information remain elusive and strategies that parents and students can use to protect themselves online. 

The interview, which has been edited for length and clarity, was conducted prior to the latest development on the school cybersecurity beat: Friday that the personal information of more than half a million students and staff was compromised in a ransomware attack on education technology vendor Battelle for Kids. The data breach was carried out on December 1 and Battelle notified Chicago officials about the attack about a month ago, on April 26. 

社区黑料: The Illuminate Education data breach is the largest known hack of K-12 student records in history? 

Doug Levin: The Illuminate Education security incident 鈥� we actually don’t know much about what happened 鈥� was the single-largest data breach incident affecting a single school district. We still have to see what the numbers bear out for Illuminate Education, and it could still grow significantly in size.  

But a couple of years ago of their AIMSweb product. They never disclosed the total number of districts that were affected, but they said that 13,000 of their customers were affected. In fact, the Securities and Exchange Commission about the scope of the incident. A number of years ago, the education company Edmodo also endured a massive breach. 

So there are some large incidents that have happened but the more we learn about the Illuminate Education breach, the worse it does appear to be.

What sets this hack apart from previous incidents? 

Some education vendors don’t know a whole lot about the students they’re serving. They may have a student ID, they may know their grades or academic performance in one subject, but not a lot else about that student or their context. The Illuminate Education breach did involve a pretty large swath of sensitive information about students that could be used by criminals to commit identity theft and credit fraud against students. 

So that sets it apart. 

Unfortunately, it鈥檚 the latest and the most high-profile student data breach that is occurring not directly by school districts but by their vendors and partners. A lot of times the security conversation has been focused on the practices of schools themselves and attacks that have targeted schools. There have been a number of high-profile ransomware attacks that have brought school districts to a halt, , and . Those are very eye-opening incidents and they draw a lot of attention, but they are localized in their impact. They are very significant for those communities, but they only affect those communities. 

When a vendor experiences an incident, the impact and the scope of that breach can be massive. If you think about the vendors and suppliers that school districts work with, whether they’re for-profit, nonprofit, or even the state education agencies themselves, if they experience an incident, the scope and magnitude of that incident is likely to be significantly larger. 

There’s sort of this idiosyncratic issue in K-12 education where we have been laser focused on issues of student data privacy and a majority of states have now passed new student data privacy regulations in the last five to 10 years largely because the federal law, the Family Educational Rights and Privacy Act, has not been updated since 1974.

But if we only look at this issue through the lens of student data privacy, it is like we have horse blinders on, we are not seeing the full picture. And while ensuring student data privacy is critically important, these are not security laws and they do not adequately address the various ways that unauthorized users can gain access to student data. 

In fact, vendors and partners are the most frequent cause of school district data breaches. 

This is an era where we need to broaden our lens from student data privacy exclusively to also include security. School districts themselves need to do more due diligence with respect to vendors鈥� security practices and in making sure they have contractual requirements in place that require the prompt notification and remediation of issues. 

With Illuminate Education, it has taken several months for individuals who were affected to find that out. The gap between when the company first learned about the incident and when parents are informed of the incident so they can take steps to protect their children is really too long. We really need to work on tightening that timeframe to protect students from the risks that we are introducing to them. 

We don鈥檛 know a lot about the scope of the Illuminate Education data breach. How would you describe the company鈥檚 overall response? Why does so much remain unclear? 

Frankly, it comes down to the state of policy and regulations. In the vast majority of cases, when an incident is experienced by an organization, whether it be by a school district or a partner, one of the first things they will do is look to see what they鈥檙e obligated to report under the law. 

So setting aside the ethical or moral desire and need to help individuals take steps to protect themselves when you have been at fault in causing an incident, many will look to what they are strictly required to do. And the fact of the matter is that there are many, many loopholes in existing notification laws. 

Organizations do not want to share bad news with their customers and stakeholders, and so there are reasons that people don’t like to disclose these things. But there’s also a compelling number of reasons why stakeholders deserve and need to know.

If hacks are not publicly disclosed, policymakers won鈥檛 understand the scope of the issue and they can鈥檛 take steps to provide more resources to protect against these sorts of threats. That’s exactly the sort of issue we’ve had in K-12. For years, no one talked about the incidents that schools were experiencing, so people thought that schools really weren’t experiencing incidents. That was simply not the case. 

Secondly, threat actors that attack schools and their vendors repeat their tactics in predictable ways. If they鈥檙e successful at attacking one school district, they will use those exact same tools and techniques against other school districts. So it鈥檚 important that organizations share with them a heads-up so that they can take the steps to protect themselves from being compromised in the same ways. 

With hacks, there is the potential for people to experience real harms. They can have their identity stolen, tax fraud, credit fraud, they could be embarrassed. They could have things disclosed about them 鈥� whether it’s their health status, their legal status, their immigration status 鈥� that were never supposed to be public and that may lead to very serious repercussions. 

There really is a moral obligation for people to disclose these incidents. 

You鈥檝e observed a recent uptick in ransomware attacks. How do districts generally respond to these incidents? 

How school districts respond really depends on how proactive they have been in defending against cybersecurity risks. In the best cases, school districts have segmented their networks and made it difficult for that ransomware to spread throughout the district. In those cases, school districts are often able to restore their systems from backups, avoid paying extortion demands, investigate how the ransomware got into their system and plug those holes. 

In recent years, ransomware actors have also exfiltrated large amounts of student and staff data before they encrypt and lock those school district computers and demand a ransom. And I should note those ransom demands have been increasing dramatically for K-12 schools. In 2015 or 2016, you might have seen a ransomware demand of $5,000 to $10,000, payable in a cryptocurrency, of course. Today, it wouldn’t be surprising to see a ransomware demand of a million dollars or more being made to a school district.

When school districts are in that place, they’re really between a rock and a hard place at that point. If ransomware spreads across their system, those are the sorts of incidents that close schools for days and kids are sent home. 

In those cases, they rely on experts to come in and assess how to rebuild their systems., how to evict ransomware actors from their networks, how to handle the fact that ransomware actors have exfiltrated data already, and to reduce instances where schools have to pay those extortion demands. 

Law enforcement will never encourage a victim to pay that extortion demand. Every time a school district does so, they are really just encouraging future threat actors to target school districts with the same sort of techniques. 

Even school districts that don’t pay extortion demand face remediation and recovery costs. In Baltimore County, the recovery and remediation costs have been estimated in the millions of dollars, so you’re paying for the cost of ransomware incidents whether you pay that extortion demand or not. 

School districts are not exactly flush with cash. Why are schools a good target for hackers? Why are they particularly vulnerable?

I have often heard schools be very surprised when they鈥檙e attacked. They鈥檙e morally outraged because they鈥檙e an institution that is just trying to help kids and they鈥檙e being targeted by these criminals. 

But you made the statement that schools don’t have a lot of money and I actually want to push back on that. School districts actually manage quite a bit of money every year. They maintain facilities, transportation and food services. They may be the largest employer in many communities. 

It is correct, of course, that school districts don鈥檛 have enough money to do all the things they would like to do and need to do for kids. I鈥檓 not arguing that they are sufficiently funded. But it is not unusual for a school district of medium or large size to have an annual budget in the hundred of millions, and some of the largest districts in the country have annual budgets in the billions. That鈥檚 plenty of money to attract the attention of threat actors. 

Other than money, school districts and other government agencies have been disproportionately attacked largely because they tend to run IT systems that are older and they also tend to be under-resourced with respect to cybersecurity. They just don鈥檛 have the money and the capacity to hire experts in the way that we would hope and certainly not in the way that some private sector organizations do. 

And given that public sector organizations like school districts provide essential services and people get very upset if they鈥檙e disrupted, they may be susceptible to extortion tactics like ransomware. They also hold a lot of valuable information about those stakeholders that can be repurposed for criminal purposes. It really is a perfect storm here of school districts being, unfortunately, low-hanging fruit for criminals at a time where, as a policy issue, cybersecurity really has not been a priority. 

I think this is changing. There are conversations underway in both state legislatures and in Congress looking to provide more resources to school districts for cybersecurity. But this is a marathon not a sprint and, you know, that help has not yet arrived. 

What needs to happen legislatively in regards to school district hacks? 

There is a need for mandatory reporting. It is very difficult for anyone to get a handle on this issue and how to help schools protect themselves if we don’t know the scope of the issues that schools are facing. 

We certainly can’t bring those parties who are responsible to bear unless we get details about those sorts of incidents. 

Secondly, there is no floor, there is no minimum cybersecurity risk management practice in a school district. Parents, employees and taxpayers have reasonable assumptions about how school districts protect themselves from ransomware, data breaches and targeted phishing attacks. Yet I think they may be surprised that their expectations are not being met. Setting a minimum cybersecurity expectation on school districts is a common sense step that we can take, and those protections should also be extended to vendors. 

You built a map to track every K-12 data breach since 2016. What key trends and takeaways have you observed? 

The majority of those incidents involve student data but a significant minority involve school employee data, including teachers.

A variety of actors are responsible for these incidents. About a quarter are carried out by online criminals targeting school districts, but many are actually the result of the actions of insiders to the schools themselves. Like any large organization, employees make mistakes. School districts may email sensitive data to the wrong people, and very occasionally, school districts have disgruntled employees who do things on their way out the door. 

The last group of insiders are the students themselves. An IT leader joked with me once that every school district serving middle and high school students is getting free penetration testing whether they like it or not. The fact of the matter is that a proportion of students are very tech savvy and they do get bored. Kids being kids, they turn their attention to school districts themselves and, in fact, there have been some very large and significant data breaches because students themselves have compromised school district IT systems. 

What do students typically do when they compromise school technology? 

It depends on the incident. In some cases, they’re seeking to change their grades or their attendance records in a very similar vein to the . Some kids have even been enterprising and charged their fellow students for the privilege of changing their grades. 

But in other cases, they’re simply curious or are interested in making some kind of a statement and are interested in defacing a school website, a school social media account, blasting out emails that they think are funny. 

We don’t have any evidence that kids are monetizing their attacks on school districts on the dark web in the way that online criminals do. But having said that, there are a number of cases where students have crossed the line and have gotten entangled with law enforcement because the attacks they’ve carried out against school districts have been so disruptive. 

What do we know about the online criminals who target school districts? Who are they, in what cases have they been caught and in what cases have they faced any repercussions? 

Cybersecurity attacks have a unique characteristic to them because they can be carried out by individuals anywhere in the world at any time. By and large, the online criminals that are targeting school districts are based overseas and they are based in countries that make it difficult for U.S. law enforcement to reach. As a result, many of these actors are not brought to justice. 

A minority of these incidents occur from within the country and in those cases the ability of law enforcement, the FBI in particular, in bringing judgments against those folks is actually pretty good. There was a Texas school district a couple of years ago that was scammed out of several million dollars by a sophisticated phishing attack. It turned out that it was carried out by an individual in Florida who was caught and prosecuted. That person bought Rolexes and sports cars with the money that he stole from that district. But I suspect he is sitting in a jail right now or certainly awaiting the sentencing for that crime.

What lessons does the Illuminate Education breach hold for school districts and education technology vendors?

The story is still being told here, but this is going to be a very cautionary tale both for school districts and for vendors. This is going to evolve depending on the outcome of the investigations in New York. The state of New York has a fairly strict student data privacy regulation and it appears that Illuminate Education was in violation of the rules despite assurances that they were in compliance. So the state of New York has an opportunity to set an example here. Many ed tech companies will be watching very closely. 

We’re watching very closely as well. What may happen to renewals from school districts that use products from Illuminate Education? How many customers might they lose? 

It would be wise for vendors and suppliers to understand that it is only a matter of time before new regulations require more cybersecurity protections on the data that they hold about school children and school employees. 

From a school district perspective, it just underscores the importance of due diligence when they are selecting vendors and the need to consider the security practices of their vendors. This is not a one-time evaluation. Threats and vulnerabilities evolve so we need a continuous evaluation process. 

What lessons does this hack hold for parents and students, and what should they do to protect their information online?  

It should highlight for parents and students that there are risks in sharing information with schools and their partners. That risk can be managed, but I think it is beholden on parents to ask good questions of their school district about their cybersecurity risk management practices. These don’t have to be very technical questions, but I do think they deserve assurances from the school board and the superintendent that this is an issue that they’re taking seriously and a school district should be able to explain the steps that they’re taking and how they are continuously managing these risks. 

If you’re worried about being a potential victim 鈥� and I think it is always worth worrying about being a potential victim 鈥� there’s a couple of steps that I would encourage both parents and students to take. I would advise parents to freeze their children’s credit record. This is available for free at all of the major credit reporting agencies and it will prohibit an online criminal from stealing the identity of their children and opening credit accounts in their names. 

I would also underscore that good password management practices are always useful. I’m talking about not reusing the same username and password that you use for your school accounts for any of your personal accounts. to the greatest extent possible, you want to separate your school life from your private life and the best way to do that is to use a password manager. There are many free password manager applications that are available as well as a number of good paid options.