Illuminate Education breach that affected NYC schools spreads to Connecticut

A school district in a small Connecticut town said it too may have been affected by a breach of Illuminate Education software.
public school front entry
(Getty Images)

A school district in Coventry, Connecticut, notified families of its students this week that students’ data may have been swept up in a breach of one of its vendors earlier this year. The breach-notification letter, dated Tuesday, stated that data belonging to the roughly 1,700 students enrolled in Coventry Public Schools may have been exposed in a January breach of Illuminate Education, a software company that develops software that tracks students’ academic progress.

The Illuminate product in question, called eduCLIMBER, is used by school districts to track students’ grades, attendance and behavioral development, according to the company’s website. Coventry Public Schools’ letter was mandated by a Connecticut law that requires school districts to inform parents if an IT vendor that handles data on their kids suffers a data breach.

The breach at Illuminate Education has also affected the New York City Department of Education, which earlier this year said the incident exposed data pertaining to 820,000 current and former students in the nation’s biggest K-12 system. City officials, led by Mayor Eric Adams, have demanded an investigation into the company.

In its letter, Coventry Public Schools said there is no evidence any of the data exposed by the breach was used maliciously, though any students found to be affected will be eligible for one year of identity monitoring services.


The letter is evidence that Illuminate Education’s woes are not limited to New York City and could spread further, according to Doug Levin, who heads up the K-12 Security Information Exchange. The group, which tracks cybersecurity incidents affecting grade schools, has found in some years that three-fourths of attacks and breaches begin with one of the numerous IT vendors that supply primary and secondary schools.

“This is another example of challenges for vendors, particularly those that serve large numbers of students,” Levin told StateScoop. “This latest notification certainly seems to be confirmation this was not limited to New York City schools.”

Coventry, Connecticut, sits in the middle of the state, about 130 miles northeast of New York City. Illuminate Education said last month that, nationally, its software is used in school districts serving 5 million total students.

“It’s hard to imagine it was New York City and this Connecticut district and no other districts,” Levin said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts