The Federal Trade Commission (FTC) has ordered education technology provider Illuminate Education, Inc. to overhaul its data security practices and delete unnecessary personal data following a massive breach that exposed sensitive information of over 10 million students across the US.
The FTC’s announcement follows a separate $5.1 million multi-state settlement in early November led by the Attorneys General of California, Connecticut, and New York, which also penalized Illuminate for failing to protect student data. Both actions stem from a 2021 breach where attackers exploited decades-old credentials to access cloud-stored student data, revealing widespread lapses in the company’s security controls.
According to the FTC’s complaint, the breach occurred in late December 2021, when a hacker used valid credentials from a former employee who had left the company more than 3 years earlier to access databases hosted by a third-party cloud provider. The intruder extracted sensitive data from approximately 10.1 million student records, including names, email and mailing addresses, dates of birth, academic records, and health-related information.
Illuminate, based in Wisconsin, provides cloud-based data management and analytics software to K-12 school districts, collecting and storing student data on behalf of educational institutions. The FTC alleges that the company made repeated assurances about strong data security in both marketing materials and contracts with schools, claims that were ultimately contradicted by its failure to implement industry-standard safeguards.
Technical failures highlighted in the FTC and state-level investigations reveal a pattern of neglect:
- Data stored in plaintext: Illuminate reportedly stored student data unencrypted until at least January 2022, long after the breach occurred.
- Outdated access controls: The attacker accessed the system using login credentials of a former employee. The company had failed to disable these credentials, despite the user having left over three years earlier.
- Lack of monitoring and threat detection: Illuminate did not deploy effective monitoring or logging to detect unusual activity, allowing the attacker to create new accounts and maintain access unnoticed.
- Backup compromise: California investigators found that backups were stored in the same network segment as active databases, meaning once the attacker breached one system, they could access both primary and backup data, defeating the purpose of backups.
- Delayed breach notification: Illuminate failed to notify many affected school districts in a timely manner. Some districts representing over 380,000 students were not informed of the breach until nearly two years later.
The FTC’s proposed order, pending public comment, requires Illuminate to establish a comprehensive information security program that addresses access control, data confidentiality, and breach detection. Also, the company is required to delete unnecessary personal information and follow a strict data retention policy. The FTC also orders Illuminate to stop misrepresenting its data protection practices, especially in communications with schools and users, and to report any future data breaches to the agency. Violations of the final order could result in civil penalties of up to $51,744 per incident.
Leave a Reply