Wednesday April 13, 2022
I am writing to provide you with an update concerning a data security incident that involves an online educational vendor that many New York City Department of Education (DOE) schools use: Illuminate Education.
As you may have seen in the news or heard from your child’s school, Illuminate Education products (such as IO Classroom, Skedula, and PupilPath) were offline for a time in January 2022 due to a security incident. Since then, Illuminate has been conducting an investigation to determine whether any students’ personally identifiable information was accessed as a result of this incident. On March 25, Illuminate notified the DOE that its investigation was complete, and that some students’ personally identifiable information was accessed by someone without authorization.
We are outraged about this breach, and we will do everything possible to protect student data going forward and to provide further information to families affected by this breach.
We are waiting for Illuminate to provide us with more details from their investigation, including which student records were accessed by the unauthorized user. Illuminate has shared the following information with us:
- Names and ID numbers (OSIS) were accessed for all students impacted by the breach.
- Date of birth was accessed for nearly all students impacted by the breach.
- The types of data that were accessed for students are:
- Biographic information, such as gender, ethnicity, and race.
- Academic information, such as teacher schedules, class assignments, and test scores.
- Special education information, specifically whether your student has an Individualized Education Plan.
- Other sensitive information, such as whether your student receives free lunch.
- No copies of student IEPs were impacted.
- No family or student financial information or social security numbers were accessed.
If your student’s records were accessed as part of Illuminate’s break in security, you will receive a letter in the coming weeks with more information about what personally identifiable information was accessed, what steps Illuminati is taking to correct the situation, and how to enroll in credit monitoring services, paid for by Illuminate.
The DOE is taking this situation very seriously, and, at the Mayor’s direction, has referred this matter to law enforcement and is considering what recourse we have on behalf of families against Illuminate. We deeply regret that your students’ confidential information may have been impacted. The DOE remains committed to making sure vendors use strong protections to keep student information safe. Illuminate has informed us that they have added more safeguards to protect student information and have committed to independent verification of the security measures they have put in place.
Please contact us with questions or concerns about this incident. We will do our best to respond while we wait for more information from Illuminate.
Mr. Ivan Rodriguez,
Principal, I.S. 145