Illuminate Education, a provider of cloud-based tools for K-12 schools to collect and analyze sensitive student data—including academic, attendance, and health records—faced allegations of failing to maintain adequate security for this information. The FTC highlighted multiple security failures, such as a complete lack of access controls, deficient detection and response capabilities, poor vulnerability monitoring and patching, and the egregious practice of storing student data in plain text. These findings underscored the company’s inability to meet the heightened need for protection required for such sensitive subjects.
Illuminate’s inadequate security was fully exposed in December 2021 when an attacker exploited credentials belonging to an employee who had left the company over three years prior. The hacker used these outdated credentials to access databases hosted by a third-party cloud provider, resulting in the exfiltration of personal data for approximately 10.1 million students. The compromised data included email and physical addresses, dates of birth, student records, and health-related information, demonstrating the severe consequences of the company’s lax security posture.
Adding to the gravity of the incident, the FTC noted that Illuminate had been previously warned by a third-party vendor about numerous security flaws within its networks but chose to take no remedial action. Furthermore, the company continued storing student data in unencrypted plain text until January 2022. Compounding these technical failures, Illuminate misrepresented its security commitment to schools, falsely claiming in contracts that its “practices and procedures are designed to meet or exceed private industry best practices” and specifically touting data encryption as a core security measure.
The repercussions of these failures were prolonged due to the company’s delayed response. The FTC indicated that Illuminate waited two full years after the breach occurred before notifying the affected school districts. This extensive delay left the exposed students and users vulnerable to potential harm, such as phishing and other targeted attacks, for an unnecessary and extended period, amplifying the risk created by the initial security lapse.
To resolve these serious allegations, the FTC is mandating that Illuminate implement a comprehensive data security program to significantly improve its defenses. Under the terms of the settlement, Illuminate must now delete all student data deemed unnecessary for its operation, adhere to a publicly available data-retention schedule, immediately cease misrepresenting its security practices, and notify the FTC concurrently when reporting data breach incidents to other authorities. The order will soon be subject to a 30-day public comment period, and any subsequent violations will result in civil penalties of up to $51,744 per case.
Reference:
