The city school system plans to send letters to families of current and former students with explanations of what identifiable information was included in the hack, sources said. Illuminate Education does not store financial information or social security numbers, the company said. Social security numbers, family financial account information and individual education plans were not accessed, sources said. "The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again."ĭemographic data, academic information and economic profiles were among the data accessed by the hackers, though Illuminate Education had yet to share enough details for the department to determine the breadth of the breach, sources said.
There is no evidence of any fraudulent or illegal activity related to this incident," Illuminate Education said in a statement Saturday. "We are in the process of notifying customers that may have been affected.
The city Department of Education was not informed students’ data was subject to the hack until Friday, sources said. “We understand how important it is that families can trust that their child’s data is protected, and we are exploring options to hold Illuminate accountable for violating that trust.” “We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not,” Banks said in a statement Friday.
Student privacy is of the utmost importance to our school district/charter school and we are therefore monitoring this incident closely and will keep you apprised if there are changes to the situation.The city schools chancellor is calling for an investigation of a software company after data of 820,000 students was hacked in January.Ĭhancellor David Banks blamed software company Illuminate Education for the hack in a statement Friday, urging the state education department to conduct a probe. If you are a former student and would like additional information, please contact us at (phone number) or be email at (email address), so that we may send you a letter with additional information on the data accessed. The data accessed pertains to the following school years, _ (insert years).Īffected current students and former students for which we have contact information, teachers and principals where applicable will receive a letter from us/Illuminate Education with more information on the information accessed. The Illuminate Education products used by our school district/charter school are/were_.Īccording to Illuminate Education the affected databases included names, demographic and academic information. As such, this notice is to inform you that Illuminate Education, an educational software company which products are used in our school district/charter school, has informed us that some databases containing potentially protected student information were subject to unauthorized access between December 28, 2021, and January 8, 2022. In accordance with State Education Law 2-d we are required to notify you when a third-party contractor that receives student data or teacher or principal data pursuant to a contract or written agreement with us had an unauthorized release of such data.
Finally, a notice on the educational agency’s web page is appropriate because of the past years the breach includes.īelow is a sample web page notification that you might choose to use when notifying the parents/guardian of current students, eligible students and in this case former students as well as potentially, teachers and principals, about the Illuminate Education breach.Īs a reminder Education Law 2-d (6)(c) and Commissioner’s regulations § 121.10(f) state that where a breach or unauthorized release is attributed to a third party contractor, the third party contractor shall pay for or promptly reimburse the educational agency for the full cost of the notifications.ĭear Parent/Guardian, eligible students and former students and teachers and principals (where applicable):
Additionally, it is advised that each educational agency maintain a list of the current students’ parent/guardians and former students it attempted to notify individually. Therefore, each educational agency must notify all former students for whom it has any address or location information, including an email address. Guidance from the New York State Education Department’s Privacy Office regarding the notification of former students is that each educational agency must do the best it can to notify all students, current and former, regarding the Illuminate Education breach.