Edtech firm Illuminate Education settles FTC case over 2021 data breach

The Federal Trade Commission announced Monday that Wisconsin-based educational technology provider Illuminate Education has agreed to implement a comprehensive data security program and delete unnecessary records to resolve allegations that inadequate network security led to a December 2021 breach exposing personal information for 10.1 million students.

The agency alleges a hacker used credentials belonging to a former employee to access Illuminate’s database, which was stored on a third-party cloud provider. The former employee had left the company three and a half years before the credentials were used. Data accessed in the breach included email and mailing addresses, dates of birth, student records and health information.

The FTC said contracts with school systems misrepresented the company’s security practices by falsely claiming student data was encrypted. A third-party vendor notified Illuminate in January 2020 that its network was vulnerable to hacking, but the firm failed to address the identified problems, the agency added. Security deficiencies cited include failures to implement reasonable access controls, effective threat detection and response, and vulnerability monitoring and patch management. Student data remained stored in plain text until at least January 2022.

Illuminate waited nearly two years to notify some school districts about the breach, leaving more than 380,000 students unaware that their information had been accessed, the agency said.

Under the settlement, Illuminate will stop making deceptive claims about its security protocols, notify school districts promptly of breaches, and delete personal data it no longer needs to provide services. The company also will follow a public data retention schedule that specifies deletion timeframes, establish a comprehensive information security program, and notify the FTC if it reports a data breach to any federal, state or local government.