Proving the Failures of Student Data Privacy: the Cyberattack on Illuminate Education

Student data is both incredibly personal and woefully underprotected, as we've recently discussed. Student data includes sensitive data like physical and mental health records, disciplinary history, and family financial status. As educational technology companies ("edtech") become more deeply ingrained in schools, they are granted stewardship over more and more sensitive data without being subject to the same privacy laws that restrict schools. One recent case, the cyberattack on edtech company Illuminate Education, proves just how vulnerable sensitive student data is and how flawed the systems to protect it are.

What Happened?

Illuminate Education is a major edtech company that provides schools with student-tracking software. It operates in 5,200 school districts, and its services affect over 17 million students. School districts use Illuinate's software to keep track of students' class progress, grades, behavior, and important information relevant to their school life.

On March 25th, 2022, Illuminate disclosed that it had suffered an unauthorized data access somewhere between December 28th and January 8th. The data breach is estimated to affect the personal information of over 1 million current and former students in dozens of school districts, including the US's two largest school districts, New York City and Los Angeles. The school systems affected by the breach reported that names, birthdates, racial and ethnic profiles, and test scores were leaked; a few even reported that even more sensitive information was accessed, like disability status, behavioral incidents, and migrant status.

The breach seems to have been a result of insufficient security on Illuminate's Amazon Web Services data storage. Illuminate stored student data in its AWS system, but it named its AWS web buckets with easily guessable names, like company platforms and products--a common cybersecurity mistake. This meant that hackers could easily find Illuminate's online storage systems.

Those affected have met the data breach with outrage, especially in New York. Illuminate signed a strict data agreement with the New York City school district in 2020. In the agreement, Illuminate was required to safeguard student data and promptly notify officials in the event of a breach. NYC officials allege that Illuminate has failed its end of the agreement, and called on the FBI and NY Attorney General to investigate.

What Does This Mean?

This incident shows how weak the data protections on edtech companies are in the absence of law setting comprehensive standards. Without strict regulation, edtech companies are free to collect just about whatever data they like, and store it however they like, without legal consequences for their failure of data responsibility.

Most of the leaked data is not the most sensitive kind that schools collect: names and grades as opposed to financial or health records. However, information like migrant status and disciplinary record can still have significant consequences when exposed to the public. Past disciplinary problems can affect future education or career prospects, and information about migrant status can be used for discriminatory or harassment purposes by private individuals or immigration enforcement.

The edtech industry is not against increased regulation; in 2014 many edtech service providers signed on to the Student Privacy Pledge, promising to maintain a certain standard of security for student data. While impressive, a pledge by the industry itself means little without regulatory standards and enforcement. Illuminate signed on to the Pledge, and yet it clearly did not take its data security duties seriously enough. The Pledge said that the FTC could hold companies accountable for failures of student data privacy, but the FTC has not enforced the Pledge even once despite repeated failures of edtech privacy and security practices. Even though some of the data could be considered personal health information, like disability status, HIPAA does not apply since edtech companies are not covered by that law. Health data managed by schools is protected by FERPA, but that student data protection law does not apply to edtech companies either.

The federal government has shown itself to be more willing to protect investors than students. In 2021, the SEC charged edtech company Pearson for lying to investors about a data breach that leaked the birthdates and email addresses of millions of students. While the financial regulator protected the interests of investors, nothing was done to make up for the violation of the students' personal data.

What Can Be Done?

For the data leaked in the Illuminate breach, it is already too late. Once the information is out, it can be posted or sold anywhere. While Illuminate claims that there is "no evidence that any information was subject to actual or attempted misuse," the violation of trust is damage enough.

The most important takeaways from this breach are that student data is woefully underprotected relative to its sensitivity, and that edtech companies collect more than they need and aren't practicing data responsibility.

For the general public, the best things to do are to voice your concerns about your children's data rights to your school district and to teach your children about good data privacy to limit the amount of sensitive data they give to unregulated edtech companies.

The government needs to do more to regulate and control edtech data collection, both to prevent possible misuse and set standards for security to prevent breaches like this from happening again. The laws that do exist, like the Children's Online Privacy Protection Act (COPPA), need to actually be enforced against edtech companies. The FTC announced in May that it intends to crack down on edtech violations of COPPA--they are a bit late to the game, considering the increasing number and severity of edtech breaches, but this will bring some much-needed accountability to the industry. FERPA also needs to be expanded to cover edtech as well as schools--as edtech becomes more vital and deeply integrated into school systems, a massive amount of data that would otherwise be under FERPA is instead in unregulated control.

Even though laws have largely failed to keep up with the technology, edtech companies still have an ethical responsibility to maintain a certain standard of practices considering the sensitive nature of the children's data they are processing. Companies should know better than to store data in as insecure a method as Illuminate did.

Even if edtech companies start holding themselves to a higher standard of data security, they will still be holding a veritable treasure trove of sensitive data. A standard of data minimization--only collecting the minimal amount of data needed for a given purpose, and deleting it after its purpose is achieved--would go a long way in ensuring the safety of the data. While edtech companies do need to collect and archive a lot of student data as part of their services to schools, there are likely some areas where that data can be reduced.

Regardless of the eventual consequences, the lesson of the Illuminate data breach is clear: edtech companies' data security is well below the standard warranted by the sensitivity and scale of the data they collect. It remains to be seen, however, how this will be reflected in the law or industry standards.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to empower companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), COPPA, and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/ and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.