The software that many school districts use to track students’ progress can record extremely confidential information on children: “Intellectual disability.” “Emotional Disturbance.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive Talking.” “Should attend tutoring.”
Now these systems are coming under heightened scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, which affected the personal information of more than a million current and former students across dozens of districts — including in New York City and Los Angeles, the nation’s largest public school systems.
Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students. At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.
Chicago Public Schools, the nation’s third-largest district.
Now some cybersecurity and privacy experts say that the cyberattack on Illuminate Education amounts to a warning for industry and government regulators. Although it was not the largest hack on an ed tech company, these experts say they are troubled by the nature and scope of the data breach — which, in some cases, involved delicate personal details about students or student data dating back more than a decade. At a moment when some education technology companies have amassed sensitive information on millions of school children, they say, safeguards for student data seem wholly inadequate.
“There has really been an epic failure,” said Hector Balderas, the attorney general of New Mexico, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Mr. Balderas said that Congress had failed to enact modern, meaningful data protections for students while regulators had failed to hold ed tech firms accountable for flouting student data privacy and security.
outpacing protections for students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed tech providers signed on to a national Student Privacy Pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which polices deceptive privacy practices, would be able to hold companies to their commitments. President Obama endorsed the pledge, praising participating companies in a major privacy speech at the F.T.C. in 2015.
The F.T.C. has a long history of fining companies for violating children’s privacy on consumer services like YouTube and TikTok. Despite numerous reports of ed tech companies with problematic privacy and security practices, however, the agency has yet to enforce the industry’s student privacy pledge.
In May, the F.T.C. announced that regulators intended to crack down on ed tech companies that violate a federal law — the Children’s Online Privacy Protection Act — which requires online services aimed at children under 13 to safeguard their personal data. The agency is pursuing a number of nonpublic investigations into ed tech companies, said Juliana Gruenwald Henderson, an F.T.C. spokeswoman.
company’s site says its services reach more than 17 million students in 5,200 school districts. Popular products include an attendance-taking system and an online grade book as well as a school platform, called eduCLIMBER, that enables educators to record students’ “social-emotional behavior” and color-code children as green (“on track”) or red (“not on track”).
Illuminate has promoted its cybersecurity. In 2016, the company announced that it had signed on to the industry pledge to show its “support for safeguarding” student data.
Concerns about a cyberattack emerged in January after some teachers in New York City schools discovered that their online attendance and grade book systems had stopped working. Illuminate said it temporarily took those systems offline after it became aware of “suspicious activity” on part of its network.
On March 25, Illuminate notified the district that certain company databases had been subject to unauthorized access, said Nathaniel Styer, the press secretary for New York City Public Schools. The incident, he said, affected about 800,000 current and former students across roughly 700 local schools.
For the affected New York City students, data included first and last names, school name and student ID number as well as at least two of the following: birth date, gender, race or ethnicity, home language and class information like teacher name. In some cases, students’ disability status — that is, whether or not they received special education services — was also affected.
said they were outraged. In 2020, Illuminate signed a strict data agreement with the district requiring the company to safeguard student data and promptly notify district officials in the event of a data breach.
kept student data on the Amazon Web Services online storage system. Cybersecurity experts said many companies had inadvertently made their A.W.S. storage buckets easy for hackers to find — by naming databases after company platforms or products.
a spate of cyberattacks on both ed tech companies and public schools, education officials said it was time for Washington to intervene to protect students.
“Changes at the federal level are overdue and could have an immediate and nationwide impact,” said Mr. Styer, the New York City schools spokesman. Congress, for instance, could amend federal education privacy rules to impose data security requirements on school vendors, he said. That would enable federal agencies to levy fines on companies that failed to comply.
One agency has already cracked down — but not on behalf of students.
Last year, the Securities and Exchange Commission charged Pearson, a major provider of assessment software for schools, with misleading investors about a cyberattack in which the birth dates and email addresses of millions of students were stolen. Pearson agreed to pay $1 million to settle the charges.
Mr. Balderas, the attorney general, said he was infuriated that financial regulators had acted to protect investors in the Pearson case — even as privacy regulators failed to step up for schoolchildren who were victims of cybercrime.
“My concern is there will be bad actors who will exploit a public school setting, especially when they think that the technology protocols are not very robust,” Mr. Balderas said. “And I don’t know why Congress isn’t terrified yet.”
Square, another payments company, bought $50 million of Bitcoin and changed its name to Block, in part to signify its work with blockchain technology. Tesla bought $1.5 billion of it. The venture capital firm Andreessen Horowitz raised $4.5 billion for a fourth cryptocurrency-focused fund, doubling its previous one.
Excitement hit a peak in April last year when Coinbase, a cryptocurrency exchange, went public at an $85 billion valuation, a coming-out party for the industry. Bitcoin topped $60,000 for the first time.
Last summer, El Salvador announced that it would become the first country to classify Bitcoin as legal tender, alongside the U.S. dollar. The country’s president updated his Twitter profile picture to include laser eyes, a calling card of Bitcoin believers. The value of El Salvador’s $105 million investment in Bitcoin has been slashed in half as the price has fallen.
Senators and mayors around the United States began touting cryptocurrency, as the industry spent heavily on lobbying. Mayor Eric Adams of New York, who was elected in November, said he would take his first three paychecks in Bitcoin. Senators Cynthia Lummis, Republican of Wyoming, and Kirsten Gillibrand, Democrat of New York, proposed legislation that would create a regulatory framework for the industry, giving more authority to the Commodity Futures Trading Commission, an agency that crypto companies have openly courted.
Through the frenzy, celebrities fueled the fear of missing out, flogging their NFTs on talk shows and talking up blockchain projects on social media. This year, the Super Bowl featured four ads for crypto companies, including Matt Damon warning viewers that “fortune favors the brave.”
That swaggering optimism faltered this spring as the stock market plummeted, inflation soared and layoffs hit the tech sector. Investors began losing confidence in their crypto investments, moving money to less risky assets. Several high-profile projects crashed amid withdrawals. TerraForm Labs, which created TerraUSD, a so-called stablecoin, and Celsius, an experimental crypto bank, both collapsed, wiping out billions in value and sending the broader market into a tailspin.
When Tom Naratil arrived on Wall Street in the 1980s, work-life balance didn’t really exist. For most bankers of his generation, working long hours while missing out on family time wasn’t just necessary to get ahead, it was necessary to not be left behind.
But Mr. Naratil, now president of the Swiss bank UBS in the Americas, doesn’t see why the employees of today should have to make the same trade-offs — at the cost of their personal happiness and the company’s bottom line.
Employees with the flexibility to skip “horrible commutes” and work from home more often are simply happier and more productive, Mr. Naratil said. “They feel better, they feel like we trust them more, they’ve got a better work-life balance, and they’re producing more for us — that’s a win-win for everybody.”
Welcome to a kinder, gentler Wall Street.
Much of the banking industry, long a bellwether for corporate America, dismissed remote working as a pandemic blip, even leaning on workers to keep coming in when closings turned Midtown Manhattan into a ghost town. But with many Wall Street workers resisting a return to the office two years later and the competition for banking talent heating up, many managers are coming around on work-from-home — or at least acknowledging it’s not a fight they can win.
rolled out its plan last month to allow 10 percent of its 20,500 U.S. employees to work remotely all the time and offer hybrid schedules for three-quarters of its workers.
“Talent will move, and it’s not only about a paycheck,” he said.
said. Wells Fargo started bringing back most of its 249,000-person work force in mid-March with what it calls a “hybrid flexible model” — for many corporate employees, that entails a minimum of three days a week in the office, while groups that cater to the bank’s technology needs will be able to come in less often.
BNY Mellon, which has nearly 50,000 employees, is allowing teams to determine their own mix of in-person and remote work. And it introduced a two-week “work from anywhere” policy for people in certain roles and locations. “The energy around the office has been palpable” as employees eagerly map out their plans, said Garrett Marquis, a BNY Mellon spokesman.
Moelis & Company, a boutique investment bank, has strongly encouraged its almost 1,000 staff members to come to the office Monday through Thursday, but with added “intraday flexibility” over their hours, said Elizabeth Crain, the company’s chief operating officer. That might mean dropping children off at school in the morning, or taking the train during daylight hours for safety reasons, she said. The new approach fosters teamwork and enables employees to learn from one another in person, while also giving them more control over their schedules.
Ms. Crain said everyone was much more flexible. “We all know we can deliver,” she said.
Ms. Crain, who has worked in the financial industry for more than three decades, recently committed to something that would have been unthinkable before the pandemic: a weekly 9 a.m. session with a personal trainer near her office. She said she hoped that breaking out of the confines of the traditional workday sent a message to employees that they were trusted to get the job done while making time for their personal priorities.
said last month.
But he and Goldman’s David Solomon have welcomed efforts to get workers back into Manhattan offices. Mr. Solomon echoed Mayor Eric Adams at a talk at Goldman’s headquarters in March, saying it was “time to come back.”
Andrea Williams, a spokeswoman for Goldman Sachs, said returning to the office “is core to our apprenticeship culture” and client-focused business. “We are better together than apart, especially as an employer of choice for those in the beginning stage of their career,” she said.
For months, Mr. Dimon has made a similar argument at JPMorgan — and continued to even as he said about half its employees would work from home at least some of the time.
“Most professionals learn their job through an apprenticeship model, which is almost impossible to replicate in the Zoom world,” he wrote. JPMorgan has hired more than 80,000 workers during the pandemic, he said, and it strives to train them properly.
building a new headquarters in Midtown that will be the home base for up to 14,000 workers, will move to a more “open seating” arrangement.
Banks outside New York are also adapting: KeyCorp, which is based in Cleveland, hasn’t set a specific return-to-office date, but expects half its staff to eventually show up four or five days a week. Another 30 percent will probably come in for one to three days, with the ability to work from different offices. And 20 percent will work from home, albeit with in-person training and team-building events.
The new setup is “uncharted territory” that is necessary to keep the work force engaged, said Key’s chief executive, Chris Gorman. While he comes in every day and is a big believer in face-to-face meetings, Mr. Gorman said he had avoided a heavy-handed approach that could alienate employees and prompt them to look elsewhere.
Mr. Naratil, the UBS president, is also a believer in in-person gatherings — he still spends most of his week at UBS’s office in Weehawken, N.J. — but he said the great remote-work experiment of the last two years had debunked the myth that employees were less productive at home. In fact, he said, they are more productive.
The increasingly hybrid workplace has forced leaders to connect with their teams in new ways, like virtual happy hours, Mr. Naratil said. The rank and file have shown that they can rise to the occasion, and the onus is on bosses to attract workers back to physical spaces to generate new ideas and strengthen relationships.
Managers, he said, need to have a good answer when their employees ask the simple question: “Why should I be in the office?”
“It’s not ‘Because I told you to,’” he said. “That’s not the answer.”