The Federal Trade Commission (FTC) is proposing that education technology provider Illuminate Education to delete unnecessary student data and improve its security to settle allegations related to an incident in 2021 that exposed info of 10 million students.
The agency's decision comes shortly after the states of California, Connecticut, and New York agreed to settle their legal cases against Illuminate, related to the same incident, for $5.1 million.
Illuminate Education is a cloud-based technology product vendor for K-12 schools and school districts.
It offers a suite of tools to collect, organize, analyze, and report student data, covering academic performance, assessments, attendance, scheduling, and demographic and behavioral data.
Despite the heightened need to protect this data due to the sensitivity of the subjects, the FTC says the company has failed in its security program on multiple levels, including a lack of access controls, poor detection and response, weak vulnerability monitoring and patching practices, and plain-text storage.
Illuminate’s security failures were exposed in December 2021, when a hacker gained access to the company’s systems by using credentials from a former employee who had left the company more than three years before.
Using the credentials, the hacker accessed Illuminate’s databases, which were hosted on a third-party cloud provider, exfiltrating the personal data of approximately 10.1 million students, including:
Email addresses
Physical addresses
Dates of birth
... continue reading