Personal data of 820,000 NYC students compromised in hack, says city's Education Department

California-based software company Illuminate Education has found itself the target of a recent wave of criticism after an online hack compromised the personal data of about 820,000 current and former New York City public school students.

The city's Education Department officials are calling the attack likely the largest-ever breach of K-12 student information to date in the United States.

Sources told the New York Post that the breach of Illuminate Education, used by the city's Department of Education to track grades and attendance, resulted in a hacker gaining access to student names, birthdays,  and ethnicities, as well as English-speaking, special-education, and free-lunch statuses.

However, social security numbers and family financial information were not collected by the DOE and were not compromised, according to the sources.

The hack caused chaos at the beginning of the year when it forced a weeklong shutdown of grading and attendance systems back in January.

According to reporting from Daily News, the hacker or hackers are thought to have obtained private data going back to the 2016 - 2017 school year.

Nathaniel Styer, a spokesperson for the Department of Education, placed the blame squarely on Illuminate's shoulders. "We are outraged that Illuminate represented to us and schools that legally required industry-standard critical safeguards were in place when they were not," Styer told outlets.

The city's DOE has prompted the New York Police Department, the FBI, and the state's Attorney General to investigate the incident, also requesting that the state's Education Department examine Illuminate's compliance with student data privacy laws. "We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust," Styer added in the press statement.

Up till now, Skedula and PupilPath—two online portals—have helped public educators keep track of student attendance and performance. The services are taxpayer-funded and are supposedly encrypted from top to bottom.

But officials from the city's Education Department don't believe that Illuminate Education has been completely transparent with the level of its security.

The recent hack revealed that there were portions of the company's service that weren't as protected as they had led their users to believe.

Illuminate has stated that it is working to prevent the issue from happening again.

"There is no evidence of any fraudulent or illegal activity related to this incident,” Illuminate said in a press statement, quoted by The Post. "The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again."

This isn't the first time that hackers have preyed on online vulnerabilities in centers of education. Earlier this year, hackers targeted a middle school in New Mexico, shutting teachers and students out of their attendance records and class rosters. Later, administrators discovered a ransomware attack that had blocked out access to emergency contacts among other key pieces of information.

During the COVID-19 pandemic, hacker groups such as the Russian-based group "Ryuk" launched similar attacks on facilities like hospitals, rich with sensitive personal information. These attacks focused on shutting down hospital functionalities, forcing the institutions to either pay up or circumvent the hack.

Illuminate is only the most recent target in a line of hacking that has put children, education, and public services in its crosshairs. The hacker or hackers responsible for the attack have not yet been identified by investigators.