The Federal Trade Commission is taking action against Illuminate Education after a major security incident in 2021 exposed the personal information of about ten million students.
The agency wants the company to delete data it does not need, improve its security practices, and stop making misleading claims about how it protects student information.
This proposal comes shortly after California, Connecticut, and New York reached a combined settlement of 5.1 million dollars with the same company over the same incident. Illuminate Education provides cloud-based tools for K–12 schools, helping them manage student records, performance data, attendance, schedules, demographics, and behavior-related information. Because this data involves children, it requires strong protection, but the FTC says Illuminate failed on many fronts.
The breach happened in December 2021, when a hacker accessed the company’s systems using login details that belonged to a former employee who had left more than three years earlier. With those credentials, the hacker was able to reach databases hosted on a third-party cloud provider and steal sensitive records. The exposed data included email addresses, home addresses, dates of birth, academic records, and some health-related information.
Before the incident, a third-party service had warned Illuminate that its systems contained serious security weaknesses. The company did not fix these issues and continued storing student data in plain text until January 2022, which made the information easier to access if someone got into the system. The FTC also said that Illuminate told schools it followed strong industry security standards and used proper encryption, even though it did not follow those practices in reality.
Another major concern is that the company waited nearly two years before notifying affected school districts, leaving millions of students at greater risk of phishing attempts and other attacks.
As part of the FTC’s proposed order, Illuminate will be required to strengthen its security program, remove all data it does not need, follow a clear public schedule for data retention, and be honest about its security practices. The company will also need to notify the FTC whenever it reports a data breach to another authority.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The order will be finalized after a 30-day public comment period. Once it is in effect, any violation could result in a civil penalty of up to $51,744 per case.
