Three state attorneys general announced Thursday that the educational technology company Illuminate Education will pay a $5.1 million fine and agree to make changes to its business to settle allegations that shoddy security practices led to a 2021 data breach.
The data breach exposed student names, races, coded medical conditions and whether they received special education accommodations. It impacted students in 49 states and three million in California alone.
Several security failings led to the breach, according to a press release from California Attorney General Rob Bonta.
For example, Illuminate allegedly failed to delete the login credentials of former employees, the press release said. The hacker who obtained the private data allegedly used a former Illuminate employee’s credentials to gain access to its network.
The edtech firm also allegedly failed to monitor its systems for suspicious activity and did not separately secure backup and active databases. Because the databases were not separated, the press release said, the backup databases were also compromised when the active database was breached.
Illuminate also allegedly made false statements in its privacy policy, which told users its practices “meet or exceed the requirements of applicable federal and state law.”
The firm has agreed to bolster its access control and account management practices, do real time monitoring for suspicious activity and stop storing backup databases in the same network as active ones, the press release said.
Bonta brought the action alongside Connecticut Attorney General William Tong and New York Attorney General Letitia James.
A spokesperson for Illuminate said in a prepared statement that the company has been acquired by another edtech company, Renaissance.
“Since the acquisition, Renaissance has incorporated the Illuminate products into its cybersecurity and data protection program, which includes robust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators, and families,” the statement said.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
