K-12 vendor breach spreads across New York State

The breach of K-12 software vendor Illuminate Education has now impacted at least 24 districts across New York, according to a report.
K-12 vendor breach
(Getty Images)

A data breach of a vendor in New York City’s public schools that exposed records of more than 820,000 current and former students has spread across the rest of New York State.

The effects of the incident at the company, Illuminate Education, have now been reported at 24 K-12 districts across the state, along with 18 charter schools, prompting Albany officials to launch an investigation of their own.

The breach, which occurred in January, was not disclosed in New York City until late March. Illuminate Education’s products, which include software for tracking grades, attendance records and other student metrics were unavailable for several weeks, angering teachers and parents — and eventually Mayor Eric Adams and Schools Chancellor David Banks.

More notifications related to Illuminate Education went out last month to families in Coventry, Connecticut, where the local school district reported similar data exposures. At least two school districts in Colorado have also been affected.


The involvement of the additional school systems across New York State was first reported by THE Journal, a trade publication covering the K-12 sector. The New York State Department of Education last week also published a template letter for districts that need to notify families about the breach.

“Guidance from the New York State Education Department’s Privacy Office regarding the notification of former students is that each educational agency must do the best it can to notify all students, current and former, regarding the Illuminate Education breach,” the template reads.

Nationwide, Illuminate Education’s products are used by schools serving about 5 million students in total, the company said last month, though it has not provided a full accounting of which districts were affected by this breach. Doug Levin, who heads the K-12 Security Information Exchange, an industry nonprofit, told StateScoop last month it may be difficult to identify the entire scope of the breach.

“Given breach laws in different states, it can be very challenging to get a sense of the full scope,” he said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts