FTC Takes Action Against Illuminate Education Over Security Failures Exposing Student Data

In a recent development, the Federal Trade Commission (FTC) has taken action against Illuminate Education, a prominent education technology provider, over allegations of security failures that led to the exposure of sensitive student data. The proposed settlement requires Illuminate to delete unnecessary student data and enhance its security measures.

Illuminate Education offers a comprehensive suite of tools for K-12 schools and districts, collecting and analyzing vast amounts of student data, including academic performance, attendance, and demographic information. Given the sensitive nature of this data, the FTC emphasizes that the company had a critical responsibility to protect it.

However, according to the FTC, Illuminate failed to implement adequate security measures, including access controls, detection and response systems, and vulnerability monitoring. These shortcomings were starkly exposed in December 2021, when a hacker exploited credentials from a former employee, gaining unauthorized access to Illuminate’s systems. The breach resulted in the exfiltration of personal data belonging to approximately 10. 1 million students.

The compromised data included sensitive information such as names, dates of birth, and grades. Illuminate had received warnings from a third-party vendor about its networks being riddled with security flaws, yet the company took no action to address these vulnerabilities.