Illuminate Education- Data Security Incident Information

There was an incident regarding a data security incident involving a company, Illuminate Education (Illuminate), that may affect some student's personal information. The letter attached you will find an explanation of what Illuminate is, what happened, what information was involved, Illuminate’s response, the New York City Department of Education’s (NYCDOE) ongoing response, and steps you can take right now to help protect your child’s information. The DOE is taking this incident very seriously and are committed to protecting our students’ personal information. We have been informed by Illuminate that no financial account information or social security numbers were affected in this incident.
 
Who was affected by this incident?
The DOE has partnered with a vendor (IDX) to notify families impacted by the incident involving Illuminate. IDX will mail letters to families impacted by this incident (May 19) and tomorrow (May 20). If you did not receive a letter then you were NOT affected. 
 
What is Illuminate Education?
Illuminate is a company that provides educational applications and technology support to schools. Some DOE schools choose to use these products and services. Schools use Illuminate’s software to track student attendance, assignments and grades, and to communicate with families, administer tests and exams, and help with other administrative work. In order to provide its services, Illuminate creates, maintains, and controls its own software, and stores information about students. 
 
When did this incident happen?
Between December 28, 2021, and January 8, 2022. 
 
What personal information was affected?
Illuminate informed the New York City Department of Education of the following: 
  • No financial account information or Social Security numbers were affected in this incident.
  • The affected databases contained the following information about all affected DOE students: first and last name, DOE student identification number (also known as OSIS number), and school.
  • The affected databases contained at least two of the following information items for all affected DOE students: date of birth, gender, grade level, race or ethnicity, home language, and course information (including teacher name and/or subject).
  • In addition, the affected databases contained the following types of information for some students: academic testing information, whether the student is an English Language Learner, whether the student receives special education services, and (for a very small number of students) whether the student is economically disadvantaged.
How will affected students and families being notified?
The DOE has partnered with a vendor (IDX) to notify families impacted by the incident involving Illuminate. IDX mailed letters to families impacted by this incident between May 19 and May 20. Families will be advised to call IDX at 1-833-940-2427or visit https://response.idx.us/nycschools(Open external link) if they have any questions or want to enroll in identity monitoring services.
 
Students and families can call 1-833-940-2427 to request specific information. Students and families should have the following information ready: name, phone number, email address, student name, student date of birth, student ID number (also known as OSIS number), and school of enrollment. To protect students’ privacy, the DOE must first verify their identity before sharing specific data.
 

Have the police or local authorities been notified?

The New York City Department of Education reported to the New York City Police Department. It also notified the New York State Office of the Attorney General and the New York State Education Department. The DOE is coordinating with the New York City Cyber Command, the New York City Office of Information Privacy, and the New York City Law Department. 
 

What is the New York City Department of Education doing to prevent this kind of loss from happening again?

 
The New York City Department of Education sincerely regrets that student information was involved in this incident. It is committed to protecting students’ information and is taking significant steps to keep this from happening again. First, the DOE verified that no DOE computer systems were affected. Then it began its own investigation and has been working to gather more information to understand how the incident happened and whether it can continue to use Illuminate’s products and services. This investigation is ongoing. At the same time, the DOE is reviewing security procedures taken by other vendors that provide similar services to DOE schools, families, and students.
Published Print