Parents and students who have reached age 18 have the right to be notified when their identifiable information has been the subject of unauthorized acquisition, access, use, or disclosure. Listed below are incidents of note. Impacted parents and students age 18 and older have been notified of these incidents. An incident of note is when the DOE relied on a vendor to assist with parental and student notifications. You can find out additional information about these events by clicking on the down arrow next to each incident.
Illuminate Education (2022)
What happened?
Illuminate notified the New York City Department of Education of the following about the incident:
- On January 8, 2022, Illuminate became aware of suspicious activity in certain of its applications.
- Illuminate immediately took steps to secure the affected applications and launched an investigation with external forensic specialists to determine the nature and scope of the activity. Illuminate also contacted the FBI.
- On March 24, 2022, Illuminate confirmed through its investigation that between December 28, 2021, and January 8, 2022, certain of Illuminate’s databases that contained potentially protected student information were subject to unauthorized access.
- Illuminate notified the New York City Department of Education (DOE) on March 25, 2022, of its investigation’s findings.
- The scope of the incident is limited to Illuminate applications, and no DOE computer systems were affected.
- Aside from the initial incident, DOE is not aware of any further misuse or attempted misuse of the affected information.
When did this incident happen?
Between December 28, 2021, and January 8, 2022.
What personal information was affected?
Illuminate informed the New York City Department of Education of the following:
- No financial account information or Social Security numbers were affected in this incident.
- The affected databases contained the following information about all affected DOE students: first and last name, DOE student identification number (also known as OSIS number), and school.
- The affected databases contained at least two of the following information items for all affected DOE students: date of birth, gender, grade level, race or ethnicity, home language, and course information (including teacher name and/or subject).
- In addition, the affected databases contained the following types of information for some students: academic testing information, whether the student is an English Language Learner, whether the student receives special education services, and (for a very small number of students) whether the student is economically disadvantaged.
Was free and reduced price school lunch data affected?
Illuminate has informed the New York City Department of Education that no free and reduced price lunch data of DOE students was affected by the incident.
Were student IEPs affected?
Illuminate has informed the New York City Department of Education that no student IEPs, nor any content from student IEPS, was affected by the incident. However, for some students, whether a student receives special education services (in other words, yes or no), was affected.
What specific information of mine/my child’s was affected?
If you received a notice that your family was affected and wish to request more specific information, please email Illuminatequestions@schools.nyc.gov and include your name, phone number, email address, student’s name, student’s date of birth, and the student’s ID number. To protect students’ privacy, the New York City Department of Education must first verify your identity before sharing specific student data. Someone from the DOE will contact you within a week.
How many years of personal information was affected?
Illuminate has informed the New York City Department of Education that the oldest data affected is from the 2016-17 school year. However, the years for which personal information was affected varies by school and by student.
Was the information encrypted?
Illuminate has told the New York City Department of Education that the affected databases were not encrypted at the time of the incident.
How many students were affected?
Approximately 800,000 current and former New York City Department of Education students were affected.
How many schools were affected?
Approximately 700 New York City Department of Education schools that currently or previously used Illuminate’s applications were affected. However, not all schools that use Illuminate’s applications were affected by this incident.
Why did I get multiple letters?
This could happen if you have more than one child whose information was affected. It could also happen if your child(ren) attended different schools in different districts over one or more school years. It could also happen if your child(ren) attended a New York City Department of Education school as well as a charter school over one or more school years.
Why did I get only one letter when I have one or more children?
It is possible that only one of your children had information that was affected.
Who is Illuminate Education?
Illuminate is a company that provides educational applications and technology support to schools. Some DOE schools choose to use these products and services. Schools use Illuminate’s software to track student attendance, assignments and grades, and to communicate with families, administer tests and exams, and help with other administrative work. In order to provide its services, Illuminate creates, maintains, and controls its own software, and stores information about students, including information about you and/or your child.
Have the police or local authorities been notified?
The New York City Department of Education reported to the New York City Police Department. It also notified the New York State Office of the Attorney General and the New York State Education Department. The DOE is coordinating with the New York City Cyber Command, the New York City Office of Information Privacy, and the New York City Law Department.
Has legal action been taken against Illuminate?
The NYC Department of Education is not aware of any litigation or claims at this time related to this matter. The DOE is reviewing its contractual and legal rights associated with the incident.
Will the DOE continue to use Illuminate?
After extensive investigation and deliberation, and based on our deep commitment to protecting the privacy of our families and students, we directed all schools to cease using any Illuminate products and services after June 30, 2022.
Why didn't you tell affected individuals about the loss of the data sooner?
On March 25, 2022, Illuminate informed the New York City Department of Education that its investigation determined that certain student information was contained in the affected databases. Upon receiving confirmation from Illuminate, the DOE had to gather relevant information from Illuminate on which students were affected, locate their contact information in the DOE’s own databases, and make the appropriate decisions to line up the assistance services that were offered to affected individuals.
What is the New York City Department of Education doing to prevent this kind of loss from happening again?
The New York City Department of Education sincerely regrets that student information was involved in this incident. It is committed to protecting students’ information and is taking significant steps to keep this from happening again. First, the DOE verified that no DOE computer systems were affected. Then it began its own investigation and gathered more information to understand how the incident happened and whether it can continue to use Illuminate’s products and services. After extensive investigation and deliberation, and based on our deep commitment to protecting the privacy of our families and students, we directed all schools to cease using any Illuminate products and services after June 30, 2022. The DOE also is reviewing security procedures taken by other vendors that provide similar services to DOE schools, families, and students.
What is the deadline for registering for the pre-paid package of identity protection services?
The deadline to enroll was August 19, 2022.
If there are any updates regarding this incident, how will I be notified?
The New York City Department of Education will reach out to affected families if it has new information to communicate to them about this incident.
Has the information been misused?
Aside from the initial incident, the New York City Department of Education is not aware of any further misuse or attempted misuse of the affected information.