On May 6, the NY Post revealed that about two million students in NY State alone may have had their privacy violated by the massive Illuminate data breach; students in CT and CO were also affected.
This is an update from reporting in The Journal, based on FOILed records from NYSED that found at least one million students affected, across 24 school districts and 18 charter schools in New York, plus one Board of Cooperative Educational Service.
The NY State Education Dept. and the NYC DOE needs to do a far better job protecting personal student data and complying with the NY State Student privacy law 2D, which was passed in 2014, and to minimize the sharing of student data, ensuring strict security standards including encryption, and requiring that vendors delete it as soon as possible and at the very least when students graduate, none of which happened here.
Illuminate has reported that the hackers accessed a "database storing some information in the unencrypted format", according to The Record news site, and that the data may have included student and parent names, email addresses, grades, attendance, birth dates, ID numbers, genders, race and ethnicity, languages spoken at home, Title I and disability status and more. Data from the records of students in Colorado and Connecticut may also have been breached.
Two weekends ago, Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, and Doug Levin, Co-Founder and National Director of K12 Security Information Exchange and a national expert on student data breaches, gave presentations at the Network for Public Education national conference in Philadelphia, in which we discussed the Illuminate Breach and the how districts and schools can better protect the privacy of their students and teachers.
Please follow the following links for videos of this session, separated into Part I and Part II, along with questions and comments from the audience.