Cyber Incident Victim: Illuminate Education
Date:
Jan 2022
Location:
United States of America
Summary
A hacker accessed sensitive student data through a former employee's credentials at an education technology provider, compromising personal information of millions of students, including names, birthdates, academic records, and special education status. The breach exposed systemic security failures, including unaddressed vulnerabilities, inadequate encryption of stored data, and delayed breach notifications. Following investigations, regulatory authorities alleged the company misrepresented its data protection standards and violated privacy laws. The incident prompted mandated corrective actions, including implementing a comprehensive security program, establishing data retention policies, deleting unnecessary information, and enhancing breach response protocols. Affected entities demanded independent verification of security improvements and initiated reviews of contractual compliance with data protection requirements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2021, a hacker gained unauthorized access to Illuminate Education’s cloud-based databases using the credentials of a former employee, compromising the personal information of 10.1 million students nationwide. The breach specifically affected Illuminate’s IO Classroom, Skedula, and Pupilpath platforms, which were widely used by New York City schools for grade management, parent communication, and student record-keeping. During January 2022, a service outage across these platforms disrupted operations for teachers and administrators amid COVID-19 surges and snow days, though Illuminate initially denied any data compromise. By March 2022, Illuminate confirmed that hackers had accessed a database containing sensitive information on 820,000 current and former NYC students—approximately 88% of the district’s enrollment. Exposed data included names, birthdates, state student ID numbers, genders, ethnicities, languages spoken, socioeconomic status indicators, National School Lunch Program participation, special education status, Individualized Education Program (IEP) details, teacher assignments, course enrollments, and grades. Social Security numbers and family financial data were not stored in the breached database. New York City officials revealed that Illuminate had violated its contract and New York State Education Law by failing to encrypt student data at rest, despite contractual obligations requiring encryption both in transit and at rest.
The Federal Trade Commission (FTC) filed a complaint in 2025 alleging Illuminate failed to address known security vulnerabilities, delayed breach notifications to affected school districts, and misrepresented its data protection standards to customers, violating Section 5 of the FTC Act. As part of a proposed consent agreement, Illuminate must implement a comprehensive data security program, establish a public data retention schedule, delete unnecessary data, and enhance breach notification processes. While no immediate monetary penalties were imposed, future violations could result in civil fines. Concurrently, New York City Mayor Eric Adams and Schools Chancellor David Banks demanded investigations by the New York State Education Department, NYPD, FBI, and state Attorney General’s Office, citing Illuminate’s two-month delay in confirming the breach and failure to provide critical investigation details. Illuminate agreed to fund identity monitoring for affected families and undergo independent security assessments while NYC officials reviewed terminating its contracts. Despite these actions, the NYC Department of Education permitted continued use of Illuminate’s platforms for the remainder of the 2021-2022 academic year to avoid operational disruptions, pending a full review of vendor data security policies for future school years.