The Federal Trade Commission on Monday announced that it will require the educational technology firm Illuminate Education to implement a data security program and delete “unnecessary” data.
The requirement is a consequence of the firm’s involvement in a data breach in which the personal data of 10 million students was compromised. According to an FTC complaint, the company failed to deploy “reasonable” cloud security measures.
“Illuminate pledged to secure and protect personal information about children and failed to do so,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in a press release. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”
The incident occurred in 2021, when a “hacker” used the credentials of a former employee who’d left the company more than three years prior. to gain access to the company’s data systems, according to the FTC. Information accessed included email addresses, mailing addresses, dates of birth, student records and health information.
Advertisement
A proposed order outlines the steps the company would be required to take. Those include deleting information not needed to provide services to current users, following a publicly available data retention schedule, establishing an information security program and notifying the FT
Source: https://edscoop.com/ftc-illuminate-education-data-breach/
Illuminate Education, Inc. cybersecurity rating report: https://www.rankiteo.com/company/illuminate-education
"id": "ILL1764633287",
"linkid": "illuminate-education",
"type": "Breach",
"date": "1/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '10,000,000 '
'students',
'industry': 'education technology '
'(EdTech)',
'location': None,
'name': 'Illuminate Education',
'size': None,
'type': 'educational technology firm'}],
'attack_vector': ['compromised credentials',
'former employee account'],
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': '10,000,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes '
"children's medical "
'diagnoses and personal '
'data)',
'type_of_data_compromised': ['personally '
'identifiable '
'information (PII)',
'protected health '
'information (PHI)',
'student records']},
'date_publicly_disclosed': '2023-09-18',
'description': 'The Federal Trade Commission (FTC) announced '
'that Illuminate Education, an educational '
'technology firm, was involved in a data breach '
'where the personal data of 10 million students '
'was compromised. The breach occurred due to the '
"company's failure to deploy reasonable cloud "
'security measures, allowing a hacker to use the '
'credentials of a former employee (who had left '
'over three years prior) to access sensitive '
'data, including email addresses, mailing '
'addresses, dates of birth, student records, and '
'health information. The FTC required the company '
'to implement a data security program, delete '
'unnecessary data, and adhere to stricter '
'compliance measures.',
'impact': {'brand_reputation_impact': 'high (FTC enforcement '
'action, public disclosure '
'of failure to protect '
"children's data)",
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['email addresses',
'mailing addresses',
'dates of birth',
'student records',
'health information'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'high (personal and health '
'data of minors exposed)',
'legal_liabilities': ['FTC proposed order requiring '
'security program, data '
'deletion, and compliance '
'measures'],
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'compromised '
'credentials of a '
'former employee',
'high_value_targets': ['student '
'records',
'health '
'information'],
'reconnaissance_period': None},
'investigation_status': 'resolved (FTC proposed order issued)',
'post_incident_analysis': {'corrective_actions': ['implementation '
'of a data '
'security '
'program',
'deletion of '
'unnecessary '
'data',
'public data '
'retention '
'schedule',
'FTC '
'oversight'],
'root_causes': ['failure to '
'deactivate former '
'employee credentials',
'lack of reasonable '
'cloud security '
'measures',
'violation of privacy '
'promises']},
'references': [{'date_accessed': '2023-09-18',
'source': 'Federal Trade Commission (FTC) Press '
'Release',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': ['FTC proposed order '
'requiring '
'remediation'],
'regulations_violated': ['FTC Act '
'(Section 5: '
'unfair or '
'deceptive '
'practices)',
'COPPA '
"(Children's "
'Online '
'Privacy '
'Protection '
'Act, '
'implied)'],
'regulatory_notifications': ['FTC '
'complaint '
'and '
'press '
'release']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['FTC press release',
'proposed order '
'notification'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['deletion of unnecessary '
'data',
'implementation of a data '
'security program',
'publicly available data '
'retention schedule'],
'third_party_assistance': None},
'threat_actor': 'unknown hacker',
'title': 'Illuminate Education Data Breach (2021)',
'type': ['data breach', 'unauthorized access'],
'vulnerability_exploited': ['lack of credential rotation',
'inadequate cloud security measures',
'failure to deactivate former '
'employee accounts']}