Article Details

FTC schools edtech outfit after intruder walked off with 10M student records. Regulator says Illuminate ignored years of warnings, stored kids' data in plain text, and kept districts in the dark. US edtech provider Illuminate Education just got dinged by the Federal Trade Commission for allegedly failing to keep an attacker from pilfering data on 10 million students. The FTC has demanded changes - but did not issue any fines or criminal charges - from the company after an incident in late December 2021 in which a miscreant used the credentials of a former employee – someone who'd left the company more than three years earlier – to breach the edtech firm's cloud-based database. The breach at Illuminate exposed highly-sensitive records tied to 10.1 million students: email and postal addresses, dates of birth, student records, and even health-related information. Illuminate had marketed itself to school districts as a trustworthy custodian of student information, promising to handle data "as if it's our own" and using contract language that portrayed its security posture as compliant with best practices, including encryption and the usual trimmings. But the FTC says the company failed to deliver on those promises. As early as January 2020, a third-party vendor alerted Illuminate to "numerous security vulnerabilities" in its network, yet the company allegedly did little to plug the holes. Among the alleged failures were storing student data in plain text at least until January 2022, lacking reasonable access controls, and neglecting threat detection, vulnerability monitoring, and patch management. Even more damning, the complaint says that the company delayed notifying some school districts about the breach – leaving around 380,000 students in the dark for nearly two years. "Illuminate pledged to secure and protect personal information about children and failed to do so," said Christopher Mufarrige, director of the FTC's Bureau of Consumer Protection, in an org press release. "Today's action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children's medical diagnoses and other personal data." As part of its settlement with the FTC, Illuminate will have to scrub unnecessary personal data, publish and follow a data retention schedule, and roll out a detailed information security program covering the confidentiality, integrity, and availability of student data. The proposed order also bans the company from misrepresenting how it handles security and breach notifications. However, the FTC did not levy any fines against the company. The FTC voted 2-0 to approve the complaint and draft order, pending a 30-day public comment window before finalization. For a firm built on trust from school districts and parents, this is a bitter dose of reality. Those lofty promises – including fancy website copy about "physical, electronic, and procedural" safeguards – didn't hold up when push came to shove. The FTC's action underscores a broader warning to edtech firms: hype up privacy and data security all you want, but be ready for scrutiny if you can't meet the basics.