FTC orders Illuminate Education to bolster data security after breach impacting 10M students
The Federal Trade Commission finalized an order Friday against K-12 software vendor Illuminate Education, directing the company to improve its data security measures and barring it from misrepresenting its data privacy practices or breach notification times after a breach in 2021 impacted the data of more than 10 million current and former students.
The final order, which the FTC said was modified following a period of public comment, comes after the federal agency found that Illuminate, which provides student grading and attendance software, allegedly failed to implement reasonable security controls. These failures, the FTC alleged, were contributing factors in a December 2021 cyberattack on the company, which exposed the personal data of about 10.1 million current and former students across dozens of school districts in several states, including New York City’s large public school system.
In the attack, a hacker allegedly used credentials of a former employee to access the data, which included students’ email and mailing addresses, dates of birth, student records, and health-related information. The FTC also alleged that Illuminate ignored security warnings dating back to 2020, such as those from a third-party vendor about security vulnerabilities on its network. Illuminate’s security woes included failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, vulnerability monitoring, and patch management practices.
Additionally, the FTC claimed the company did not inform some school districts of the breach in a timely manner, with some not notified until two years after the breach.
Instead of a monetary settlement, the agency has directed the company to show that it’s making improvements to its data practices. The order directs the company to establish a comprehensive data security program and to limit the collection and retention of certain consumer data. It also orders Illuminate to delete unnecessary personal data, and to make public a data retention schedule along with other records demonstrating compliance.
While the FTC published the proposed order in December, the June order with input from public comment only contains one substantive change, which explicitly requires that Illuminate engage in data minimization practices, which is a safeguard advocated for by data privacy experts that involves only collecting, processing or maintaining personal data that is necessary from consumers to achieve a specific objective.
Along with the directives to improve its internal data security practices, the FTC’s order also prohibits the company from misrepresenting those data privacy practices in the future. The FTC, in its news release from December about the proposed order, notes that Illuminate’s website lists that it protects “your data like it’s our own” and that it takes “security measures—physical, electronic, and procedural—to help defend against the unauthorized access and disclosure of your information.” Illuminate also made these claims in the contracts it signed with school systems, the FTC said.
Illuminate is also required to notify the FTC of any reportable data breaches if another federal, state or local government agency is alerted about it.
