Illuminate Agrees to Purge Excess Student Data in FTC Settlement

FTC Settlement Requires Illuminate Education to Enhance Data Security

The Federal Trade Commission (FTC) has put forth a proposal for education technology provider Illuminate Education to enhance its data security measures by deleting unnecessary student data. This action aims to address allegations stemming from a security breach in 2021 that exposed the information of 10 million students.

This decision from the FTC follows settlements reached by the states of California, Connecticut, and New York with Illuminate, wherein a total of $5.1 million was agreed upon to resolve legal cases related to the same incident.

Illuminate Education serves as a cloud-based technology vendor catering to K-12 schools and school districts. Their offerings include a suite of tools designed for collecting, organizing, analyzing, and reporting student data, encompassing academic performance, assessments, attendance, scheduling, as well as demographic and behavioral data.

Despite the critical need to safeguard such sensitive data, the FTC has pointed out several shortcomings in Illuminate’s security program. These include inadequate access controls, deficient detection and response mechanisms, subpar vulnerability monitoring and patching practices, and the use of plain text for data storage.

The security lapses at Illuminate came to light in December 2021 when a hacker infiltrated the company’s systems using credentials from a former employee who had departed over three years earlier. Through this breach, the hacker accessed Illuminate’s databases, hosted by a third-party cloud provider, and obtained the personal details of around 10.1 million students, including email addresses, physical addresses, dates of birth, student records, and health-related information.

Illuminate had been alerted by a third-party vendor to security vulnerabilities within its networks. Despite these warnings, the company failed to take corrective action, continuing to store student data in plain text until January 2022.

The FTC also highlighted Illuminate’s misrepresentation of its security posture and data protection measures to schools. The company had claimed in contracts that its practices exceeded industry standards and specifically mentioned data encryption, which turned out to be inaccurate.

Furthermore, Illuminate delayed notifying affected school districts for two years post-incident, leaving users vulnerable to phishing and other cyber threats for an extended period. To address these issues, the FTC is mandating Illuminate to enhance its defenses through a comprehensive data security program.

Under the settlement terms, Illuminate will need to eliminate unnecessary data, adhere to a public data retention schedule, cease misrepresenting security practices, and inform the FTC when reporting data breaches to other authorities.

The final order is currently under review and will be open for public feedback for 30 days. Violations of the order could result in civil penalties of up to $51,744 per case.

Addressing Broken IAM Beyond IT: A Comprehensive Guide

Learn why traditional IAM practices fall short in the modern landscape, explore effective IAM strategies, and access a checklist for a scalable approach.

Get the guide