FTC Orders Illuminate to Delete Student Data in Landmark Settlement
▼ Summary
– The FTC is proposing a settlement requiring Illuminate Education to delete unnecessary student data and improve its security over a 2021 breach that exposed info of 10 million students.
– Illuminate, a vendor of cloud-based K-12 student data tools, failed in its security program with issues like weak access controls and storing data in plain text.
– A hacker accessed its systems in late 2021 using old employee credentials, exfiltrating sensitive student data including addresses, birth dates, and health information.
– The company misrepresented its security practices to schools and waited two years to notify impacted districts after the breach.
– The proposed order mandates a data security program, a public data-retention schedule, and penalties for violations, and will be open for public comment.
In a significant move to protect student privacy, the Federal Trade Commission has proposed a settlement requiring Illuminate Education to erase vast amounts of student data and overhaul its security protocols. This action stems from a 2021 breach that compromised the sensitive information of millions of students, highlighting critical failures in how educational technology companies safeguard personal data. The proposed order follows separate multi-million dollar settlements reached by several states, underscoring the severity of the incident.
Illuminate provides a cloud-based platform used by K-12 schools across the country. Its software suite collects and analyzes a wide range of student information, from grades and test scores to attendance records, behavioral notes, and demographic details. Given the highly sensitive nature of this data, robust security is not just expected but legally required. According to the FTC, Illuminate’s protections were profoundly inadequate. The agency cited a lack of basic access controls, ineffective threat detection, poor vulnerability management, and the storage of data in unencrypted plain text.
The breach itself occurred in December 2021. A hacker gained entry to Illuminate’s systems by using login credentials belonging to a former employee who had left the company over three years earlier. With these credentials, the intruder accessed databases hosted by a third-party cloud provider, ultimately exfiltrating the personal data of approximately 10.1 million students. The stolen information included email and home addresses, dates of birth, detailed student records, and even health-related information.
Investigators found that Illuminate had been warned by an outside vendor about pervasive security weaknesses in its networks. Despite these alerts, the company failed to address the problems and continued storing student data without encryption until January 2022. Furthermore, the FTC alleges that Illuminate misled its school district clients about its security posture. Contracts claimed the company’s practices “meet or exceed private industry best practices” and specifically listed data encryption as a protective measure, representations the FTC says were false.
Another point of contention was the timing of notifications. Illuminate waited nearly two years to inform affected school districts about the breach, leaving students and families vulnerable to phishing and identity theft for an extended period without their knowledge. To resolve these allegations, the proposed settlement mandates a comprehensive data security program. Illuminate must delete any student data it does not legitimately need to retain, adhere to a public data retention schedule, cease making deceptive claims about its security, and inform the FTC whenever it reports a data breach to other authorities.
The FTC’s order is currently being finalized and will be open for public comment for thirty days. If finalized and violated, the company could face civil penalties of up to $51,744 per infraction. This case sets a notable precedent for holding educational technology firms accountable for the security of the sensitive student data they collect and manage.
(Source: Bleeping Computer)
