Privacy & Security

What Schools Can Learn From the Biggest Cyberattack Ever on a Single District

By Alyson Klein — March 30, 2022 2 min read
Gloved hand reaching into a laptop screen hacking someone's account.
  • Save to favorites
  • Print

Hackers successfully targeted a New York City public school district vendor, jeopardizing personal information for some 820,000 current and former students. It was the biggest cyberattack on a single school district in U.S. history, according to Doug Levin, the national director of the K12 Security Information Exchange.

Levin, who has been tracking K12 cybersecurity incidents since 2016, said the January attack on the city school district is one of the clearest illustrations yet of how important it is that districts carefully vet the security practices of the vendors they work with.

The breach of Illuminate Education, whose software helped the nation’s largest school district track grades and attendance, means hackers now have access to personal information such as students’ names, birthdays, and special education and free-lunch statuses, the New York Post reported.

The New York City education department has accused the vendor of misrepresenting its security measures.

“We are outraged that Illuminate represented to us and schools that legally required, industry standard critical safeguards were in place when they were not,” David Banks, the district’s chancellor, told the Post.

The department did not immediately respond to questions from Education Week for more information.

See Also

Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus
Privacy & Security Explainer School Cyberattacks, Explained
Alyson Klein, February 11, 2022
12 min read

Illuminate is in the process of notifying individuals whose data may have been affected, the company said in a statement it provided to Education Week. The company added that “there is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.”

That response leaves a lot of open questions, Levin said.

“Since they have not been forthcoming about what actually happened, it’s hard to know if they had a reasonable security program in place or not,” Levin said. “Just having an incident, in and of itself, should not necessarily mean that a company was negligent or acting in a reckless manner. Having said that, the lack of transparency here is concerning.”

It is possible that Illuminate misrepresented its cyber safeguards to the district, as the school system’s chancellor told the Post, Levin said. It’s also possible that the company was the victim of shrewd hackers, like those who have breached corporations that almost certainly spend more on cybersecurity than Illuminate, such as Microsoft, he added.

The breach comes as school districts across the country—and the companies that serve them—are increasingly hit by sophisticated cybercriminals, many of whom operate overseas in countries that are tough for U.S. law enforcement to reach.

And it underscores the need for school districts to be vigilant not just about their own security measures, but those of their vendors, Levin said. Vendor hacks can cause all sorts of problems for schools, he explained, noting that one New Hampshire district experienced a school milk shortage after a cyberattack on a local dairy.

“School districts in general, and this is not just a critique of New York, have not been evaluating their vendors based on vendor security practice,” said Levin. “Every type of vendor and supplier that a school district works with relies on technology, and if the school district relies on their services, they have an interest in ensuring that they have reasonable security practices in place.”


School Climate & Safety K-12 Essentials Forum Strengthen Students’ Connections to School
Join this free event to learn how schools are creating the space for students to form strong bonds with each other and trusted adults.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
IT Infrastructure & Management Webinar
Future-Proofing Your School's Tech Ecosystem: Strategies for Asset Tracking, Sustainability, and Budget Optimization
Gain actionable insights into effective asset management, budget optimization, and sustainable IT practices.
Content provided by Follett Learning
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Budget & Finance Webinar
Innovative Funding Models: A Deep Dive into Public-Private Partnerships
Discover how innovative funding models drive educational projects forward. Join us for insights into effective PPP implementation.
Content provided by Follett Learning

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty