Hackers successfully targeted a New York City public school district vendor, jeopardizing personal information for some 820,000 current and former students. It was the biggest cyberattack on a single school district in U.S. history, according to Doug Levin, the national director of the K12 Security Information Exchange.
Levin, who has been tracking said the January attack on the city school district is one of the clearest illustrations yet of how important it is that districts carefully vet the security practices of the vendors they work with.
The breach of Illuminate Education, whose software helped the nation鈥檚 largest school district track grades and attendance, means hackers now have access to personal information such as students鈥 names, birthdays, and special education and free-lunch statuses, .
The New York City education department has accused the vendor of misrepresenting its security measures.
鈥淲e are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not,鈥 David Banks, the district鈥檚 chancellor, told the Post.
The department did not immediately respond to questions from Education Week for more information.
Illuminate is in the process of notifying individuals whose data may have been affected, the company said in a statement it provided to Education Week. The company added that 鈥渢here is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.鈥
That response leaves a lot of open questions, Levin said.
鈥淪ince they have not been forthcoming about what actually happened, it鈥檚 hard to know if they had a reasonable security program in place or not,鈥 Levin said. 鈥淛ust having an incident, in and of itself, should not necessarily mean that a company was negligent or acting in a reckless manner. Having said that, the lack of transparency here is concerning.鈥
It is possible that Illuminate misrepresented its cyber safeguards to the district, as the school system鈥檚 chancellor told the Post, Levin said. It鈥檚 also possible that the company was the victim of shrewd hackers, like those who have breached corporations that almost certainly spend more on cybersecurity than Illuminate, such as Microsoft, he added.
The breach comes as school districts across the country鈥攁nd the companies that serve them鈥攁re increasingly hit by sophisticated cybercriminals, many of whom operate overseas in countries that are tough for U.S. law enforcement to reach.
And it underscores the need for school districts to be vigilant not just about their own security measures, but those of their vendors, Levin said. Vendor hacks can cause all sorts of problems for schools, he explained, noting that .
鈥淪chool districts in general, and this is not just a critique of New York, have not been evaluating their vendors based on vendor security practice,鈥 said Levin. 鈥淓very type of vendor and supplier that a school district works with relies on technology, and if the school district relies on their services, they have an interest in ensuring that they have reasonable security practices in place.鈥