Wednesday, March 30, 2022

What Illuminate, NYC DOE & the NY State Education Department did wrong to enable one of the largest student data breaches in US history

Late Friday, in a weekend news dump, the NYC Department of Education revealed
that the personal data of about 820,000 students, past and present, had been breached from the program known as Skedula and Pupil Path, who attended NYC public schools going back to the year 2016.  These programs were developed by NYC teachers, but are now owned by a company called Illuminate.

This was possibly the largest district breach in US history, according to Doug Levin, a data security expert who was quoted in the Daily News, (though this Pearson breach that affected multiple districts was larger.There have also been articles in the NY Post and The Record about this hugely damaging breach.

According to these articles, Illuminate says that hackers gained access to the names, birthdays, race and ethnicities, home languages and ID numbers of current and former public-school students, going back to the 2016-17 school year, including in some cases, their disability and free lunch status as well.

If you are a parent whose children was affected by the breach, or you suspect your children might have been; please here is a sample message you can send to DOE to try to find out what data Illuminate had access to for your child.  You can also reach out to us to let us know if you've heard anything from DOE or Illuminate about this, and/or email us info@studentprivacymatters.org with any questions.

This seems to have occurred during the program’s extended shutdown in January, which we wrote about then , speculated that it might have been caused by hackers and result in a data breach.  At that point, both DOE and Illuminate tried to tamp down concerns.  As the DOE spokesperson was quoted by the NY Post at the time, “We’re in close communication with Illuminate Education as they investigate and have been informed that so far there is no confirmation any of our schools’ information was accessed or taken.”

The Post added: “The company did not explain or return messages from The Post, but emailed principals Friday it is transferring the data to a “new secured environment, ” implying that the data had not previously been sufficiently secured.

I was quoted in the Post that teachers often use the system to record very sensitive information about a student’s emotional state or behavior, and to recommend counseling or other intervention services.  It is not clear at this point if those communications and records were breached as well.

Skedula was originally developed by NYC teachers, who started a company called Datacation that was later bought up  by IO Education, which in turn was purchased by Illuminate Education.  According to the NY Post,  Illuminate has received more than $16 million from DOE in the last three years for the use of these programs.  Abram Jiminez, who was hired by ex-Chancellor Carranza to lead a school improvement office, previously worked at Illuminate, and held stock in the company.  He was later forced to quit after the conflict-of-interest was exposed,  as well as other earlier scandals .

Now it turns out that not all the data held by Illuminate was properly encrypted, despite promises made by the vendor in their contractual agreements and as is required by the state student privacy law.  Pertinent language from the NYS student privacy law Education Section 2D, passed in 2014, is  excerpted below:


Many years ago, I submitted a FOIL request without success for all the privacy agreements that DOE had with vendors who had access to student personal information to see if these agreements complied with the state law.  I re-submitted the FOIL request Sept. 2020, more than a year and a half ago. 

After the breach late Friday, the DOE sent me a link to 960 pages of documents consisting of their privacy agreements with 19 vendors, including Illuminate.  Though lengthy, this is far from a comprehensive list, considering DOE contracts with literally hundreds of ed tech vendors whose products they encourage schools to use.

The Illuminate privacy agreements I received are now posted here, along with my comments.  They seem to require relatively strict security controls, including periodic risk assessments,  a mutually agreed upon risk mitigation plan, the right for DOE to review all incidence response reports, and to request an SSAE16 report from the vendor (which I believe means a security audit.)

Moreover, Illuminate also shall allow DOE, upon reasonable notice, to perform security assessments or audits of systems that handle or support Confidential Information. Such an assessment shall be conducted by an independent 3rd party agreed upon by the Vendor and the DOE.” In addition, vendors must engage an independent company to assess the security of their systems annually and produce audit logs for all systems that manage private information.

At this point, it is unclear if the vendor complied with any of these mandates, or if DOE ever asked them to do so, even after the January outage occurred.

In addition, the vendor was required to inform DOE of any suspected breach within 24 hours, instead of waiting for months, as they did in this case.

There is some evidence to suggest that the breach may have occurred when the data was being transferred to an Amazon cloud from a Google cloud. See pp. 34-35, for the question and response by Illuminate on the issue of where the personally identifiable student information (PISI) was stored:

 


This evasive language suggests that at least some of the data was initially stored on an insecure Google Cloud that was not in the US; though they did not answer the question of where it was located.

The following passage implies that migrating data "in bulk" is risky; and if this is attempted, it must be approved in advance by DOE InfoSec:

 

Did DOE approve of this data transfer?  Did they ask any questions about the Google cloud, referenced above?  If DOE did not do its due diligence to follow up on any of these issues, either when the contract was signed or especially after  the January cyberattack occurred,  it is nearly as much at fault as Illuminate.

There is also evidence from this document that DOE profoundly misunderstands FERPA, the primary federal law that protects privacy .  They write the following:

 

And yet actually, FERPA regulates the behavior of districts and schools, not vendors. 

Instead, DOE is responsible for limiting access to any and all student information that Illuminate did not need to perform its contractual obligations, including the highly sensitive student disability information and Free lunch status that ended up being hacked. 

Also, the DOE should have made clear in the contract that all student data should be destroyed, not just when the contract lapsed, but annually, or at the very least, when students left the system, which clearly did not happen.

In any case, it is clear from the law and these documents that the vendor can and should be punished for delaying notification of this breach by as much as $8 million dollars, as well as have its contract immediately revoked, and further fines and possible criminal penalties imposed for lying about having encrypted the data.

Chalkbeat ran an article yesterday about what parents can do to protect their kids from identify theft at this point.  More advice here from JD Supra. Kids’ data is especially vulnerable to identity theft because they have no credit history, and current estimates are that this affects one in every 50 children, and costs families nearly $1 billion a year. Usually, districts or the vendors themselves sign up parents for free for services that are supposed to monitor identity theft– companies like Experian. Unfortunately, in order to sign up, parents have to provide them these companies more personal data, though these companies themselves experienced their own data breaches.

Sadly, there is really no recovering from the harm of having your child’s personal data spilled out on the internet.  The most important lesson to take from this tragic incident is to make sure that DOE cleans up their act in the future by taking the following precautions:

1- DOE should minimize data sharing with third party vendors – instead of encouraging schools to sign up with hundreds of these data-gobbling ed tech companies, as they have done.

2- DOE should minimize the amount of personal data shared with each of their vendors, to restrict this disclosure to ONLY what the vendor needs  to perform its contracted services, rather than give unlimited access, as seems to have happened here.  

3- In their contracts, DOE should require that their vendors should be required to immediately delete student data annually from their records and certainly once the student has graduated.

4- DOE must provide rigorous oversight to ensure that their vendors perform and provide the independent security analyses, reporting, and audits required, including proof of encryption, and if they do not, cut them off immediately, fine them to the maximum, and cut off all future contracts.

5- Finally, the State Education Department should strictly enforce all the provisions in the state law, which still has not happened, despite the fact that the law was passed in 2014.

If you are a parent whose children was affected by the breach, or you suspect your children might have been; please here is a sample message you can send to DOE to try to find out what data Illuminate had access to for your child.  You can also reach out to us at info@studentprivacymatters.org with any questions, and let let us know if you've heard anything from DOE or Illuminate about this.

 

No comments: