FTC Action Against Illuminate Education

Illuminate Education Data Breach Affected 10 Million Students

The Federal Trade Commission has taken action against Illuminate Education following a major data breach that enabled hackers to access the personal data of more than 10 million students. Because Illuminate Education supports schools and school districts by providing cloud-based technology products, it collects and maintains sensitive data about students in the normal course of business operations.

Illuminate made privacy claims on their website did not appear to be supported by their internal controls, and failed to maintain key best practices with respect to privacy and information security, including:

• Maintaining appropriate data access controls

• Instituting data retention and deletion schedules

• Periodically reviewing offboarding controls to ensure access is appropriate removed

• Responding timely to vulnerability assessments

• Failing to notify affected consumers of a data breach timely

Because of the systemic failure of Illuminate Education’s controls, the hacker gained access to the personal data of 10.1 million students, including email addresses, mailing addresses, dates of birth, student records, and health-related information.