FTC Cracks Down on EdTech Provider After Data Breach Hits Over 10 Million Students

Key Takeaways

• FTC Enforcement Action: The FTC alleges that Illuminate’s security failures led to a breach exposing personal data of more than 10.1 million students and has proposed a consent order in response.
• Weak Cloud Security Controls: Hackers used long-active administrator credentials from a former employee to access Illuminate’s AWS environment, exfiltrate hundreds of database backups, and move undetected for 13 days.
• Sensitive Data at Risk: Unencrypted records included student contact details, dates of birth, education records, disability information, and health-related data, heightening risks of fraud, identity theft, and reputational harm.
• Delayed Breach Notifications: Some school districts and approximately 387,000 students were not notified of the December 2021–January 2022 breach until October 2023, despite contractual commitments to rapid breach notification.
• Required Remediation Measures: The proposed order requires a comprehensive information security program, stricter access and data retention controls, deletion of unnecessary data, truthful security and notification representations, and FTC notification when Illuminate reports breaches to other authorities, with future violations subject to civil penalties of up to $51,744 per violation.

Deep Dive

The Federal Trade Commission is taking action against Illuminate Education after investigators found the popular school software provider failed to secure sensitive student records, a lapse that led to a major hack affecting more than 10 million children across the United States.

Illuminate, whose platforms help schools manage student assessments, attendance, behavior tracking, and intervention planning, will be required to overhaul its data protection practices and delete personal information it no longer needs under a proposed settlement announced Monday.

The FTC alleges the company left students exposed despite repeated warnings about weaknesses in its systems. These are weaknesses that hackers ultimately exploited to steal highly sensitive data. According to the complaint, the December 2021 intrusion should have been avoidable. A threat actor entered Illuminate’s Amazon-hosted environment using the active credentials of a former employee who had left the company in 2018, which are credentials the company never disabled or rotated.

Once inside, the hacker spent nearly two weeks moving through the company’s systems undetected, copying database backups containing names, contact details, birth dates, grades, disability information, disciplinary records, and health-related data.

In some cases, the data belonged to former students whose records had been kept for years beyond what schools had contracted for.

Despite its systems suddenly going offline in early January 2022, Illuminate failed to detect the breach until after significant data exfiltration had already occurred. The company later paid a ransom in an attempt to recover the stolen information, but investigators say it cannot verify whether all copies were returned or destroyed.

Big Promises, Weak Protections

Illuminate’s products serve thousands of school districts, and the company publicly marketed itself as a trusted steward of children’s data. Its website assured families that it protected personal information “like it’s our own” using strong physical, electronic, and procedural measures.

Contracts with districts in states including New York, Connecticut, and Colorado also pledged encryption of student data, both in transit and at rest, and fast notification after any breach.

But according to the FTC, Illuminate stored vast amounts of personal data in plain text until at least January 2022 and waited months, in some cases almost two years, to notify districts of the breach. Roughly 387,000 students were not alerted until October 2023.

Christopher Mufarrige, acting director of the FTC’s Bureau of Consumer Protection, said the agency’s action should be seen as a warning.

“Companies cannot promise to secure children’s data and then cut corners in ways that leave them at risk,” he said.

Mandated Security Reforms Ahead

The proposed settlement would prohibit Illuminate from misrepresenting its data security practices in the future and requires major reforms, including:

• A comprehensive information security program with stronger access controls and monitoring
• Strict data retention limits, published publicly
• Routine deletion of unnecessary personal information
• Timely and transparent notice to districts and the government when breaches occur

If finalized, violations of the order could carry civil penalties of up to $51,744 per violation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.