fbpx

Pupilpath School Database Data Breach Class Action

Is the identity information of a school-age child worth more than that of an adult? The complaint for this class action alleges that this is true. It claims that Illuminate Education, Inc., which stores information from schools on its Pupilpath platform, did not adequately protect the information it maintains and bears responsibility for the data breach it suffered.

The class for this action is persons in New York who used the products or services of Illuminate during the statutes of limitations.

Illuminate offers educational software to store school assessment test results and final grades, track assignments and attendance, and communicate with students and parents, for students between kindergarten and the 12th grade. It may also have stored student photos, physical performance records, and other physical information, the complaint suggests.

Some 5,000 schools, with an enrollment of around 17 million students, use the Pupilpath platform. The complaint claims that Illuminate had not encrypted the information and that this may have been a factor in the theft of the information.

Illuminate became aware of suspicious activity, the complaint claims, on January 8, 2022. Its investigation revealed, on March 24, 2022, that unauthorized parties had gained access to student information between December 28, 2021 and January 8, 2022, the complaint claims. It alleges, “In NY state alone, 820,000 current students in 567 schools are known to be impacted by the breach.”

On March 25, 2022, the complaint alleges, Illuminate notified New York City’s Department of Education (DOE) of the data breach, and the DOE told the police department and other law enforcement agencies. As of the filing date of this complaint, the complaint claims, Illuminate has provided no direct notice to the students affected or their parents.

This delay violates New York’s Education Law, the complaint claims, “which requires that affected schools must be notified of any data breach ‘without unreasonable delay but no more than seven calendar days from the date of discovery of such breach.’” The school is required to notify the individuals whose information was accessed, the complaint alleges, not more than fourteen calendar days from the date the breach was discovered.

Current and former students and some parents in New York City received letters from the DOE, dated March 19, 2022, the complaint claims, telling them a data security incident had taken place.

The complaint cites Doug Levin, who is a national director at K12 Security Information Exchange as saying that the information of a younger person is more valuable than that of an adult. Levin believes, the complaint claims, “that a younger person’s identity information can be abused, and their credit record can be hijacked for five to ten years before anyone figures out the identity has been compromised…”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Pupilpath School Database Data Breach Complaint

June 26, 2022

Is the identity information of a school-age child worth more than that of an adult? The complaint for this class action alleges that this is true. It claims that Illuminate Education, Inc., which stores information from schools on its Pupilpath platform, did not adequately protect the information it maintains and bears responsibility for the data breach it suffered.

Pupilpath School Database Data Breach Complaint

Case Event History

Pupilpath School Database Data Breach Complaint

June 26, 2022

Is the identity information of a school-age child worth more than that of an adult? The complaint for this class action alleges that this is true. It claims that Illuminate Education, Inc., which stores information from schools on its Pupilpath platform, did not adequately protect the information it maintains and bears responsibility for the data breach it suffered.

Pupilpath School Database Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy