FTC settlement requires Illuminate to delete unnecessary student data

The Federal Trade Commission (FTC) is proposing that education technology provider Illuminate Education to delete unnecessary student data and improve its security to settle allegations related to an incident in 2021 that exposed info of 10 million students.

The agency’s decision comes shortly after the states of California, Connecticut, and New York agreed to settle their legal cases against Illuminate, related to the same incident, for $5.1 million.

Illuminate Education is a cloud-based technology product vendor for K-12 schools and school districts. 

It offers a suite of tools to collect, organize, analyze, and report student data, covering academic performance, assessments, attendance, scheduling, and demographic and behavioral data.

Despite the heightened need to protect this data due to the sensitivity of the subjects, the FTC says the company has failed in its security program on multiple levels, including a lack of access controls, poor detection and response, weak vulnerability monitoring and patching practices, and plain-text storage.

Illuminate’s security failures were exposed in December 2021, when a hacker gained access to the company’s systems by using credentials from a former employee who had left the company more than three years before.

Using the credentials, the hacker accessed Illuminate’s databases, which were hosted on a third-party cloud provider, exfiltrating the personal data of approximately 10.1 million students, including: 

• Email addresses
• Physical addresses
• Dates of birth
• Student records
• Health-related information

The FTC notes that Illuminate received warnings from a third-party vendor that its networks were riddled with security flaws. However, the company took no action to remediate them and even continued to store student data in plain text until January 2022.

The company also misrepresented its security stance and data protection measures to schools, claiming in contracts that “its practices and procedures are designed to meet or exceed private industry best practices,” and specifically mentioning data encryption as one of these measures.

The FTC says that Illuminate waited for two years after the incident to notify impacted school districts, leaving exposed users at risk of phishing and other attacks for an extended time period.

For these reasons, the agency will require the company to improve its defenses through a data security program to settle the allegations.

As part of the agreement, Illuminate will have to delete all unnecessary data, follow a public data-retention schedule, stop misrepresenting its security practices, and notify the FTC when reporting data breach incidents to other authorities.

The order is being finalized and will soon open for public comment for 30 days. Violations of the final order will incur a civil penalty of up to $51,744 per case.