Illuminate Education, an ed-tech software company providing data and assessment tools for schools, suffered a major data breach in **December 2021 and January 2022**, exposing sensitive information of **approximately 1.7 million current and former students** across **750 schools** in New York alone. The compromised data included **student names, birth dates, student ID numbers, and demographic details**, along with potential health records. The breach resulted from **neglected security measures**, including failure to encrypt student data, decommission inactive accounts, limit account permissions, monitor suspicious activity, and delete data post-contract termination. Prior warnings in **2020** about high-risk server practices were ignored. The company faced a **$5.1 million settlement** with New York, California, and Connecticut, with New York receiving **$1.7 million**. Regulators mandated stricter security protocols, including encryption, access controls, vulnerability tracking, and annual disclosures of collected data categories. The incident marked **Connecticut’s first enforcement under its Student Data Privacy Law**, emphasizing heightened accountability for ed-tech firms handling children’s information.
Source: https://www.govtech.com/education/k-12/ed-tech-company-reaches-settlement-over-data-breach
Illuminate Education, Inc. cybersecurity rating report: https://www.rankiteo.com/company/illuminate-education
"id": "ill4002440110825",
"linkid": "illuminate-education",
"type": "Breach",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '~1.7 million current/former '
'students across ~750 schools '
'(NY only)',
'industry': 'Education Technology',
'location': 'USA (multi-state: NY, CA, CT)',
'name': 'Illuminate Education',
'type': 'Ed-Tech Company'},
{'industry': 'K-12 Education',
'location': ['New York', 'California', 'Connecticut'],
'name': 'School Districts (750+ in NY, additional in '
'CA/CT)',
'type': 'Public Education Institutions'}],
'data_breach': {'data_encryption': 'No (data was unencrypted)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '~1.7 million (NY students; '
'total across CA/CT unspecified)',
'personally_identifiable_information': ['Names',
'Birth dates',
'Student IDs',
'Demographics'],
'sensitivity_of_data': 'High (student PII, health records '
'collected)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Student records']},
'description': 'Illuminate Education, an ed-tech software company, failed to '
'safeguard student data due to inadequate security measures, '
'including lack of encryption, improper account management, '
'and failure to delete data post-contract. The company faced a '
'$5.1 million settlement with New York, California, and '
'Connecticut after two major breaches in December 2021 and '
"January 2022 exposed ~1.7 million students' data (names, "
'birth dates, IDs, demographics). The breaches stemmed from '
'neglected cybersecurity recommendations (e.g., 2020 vendor '
'warnings) and systemic deficiencies in access controls, '
'monitoring, and vulnerability management.',
'impact': {'brand_reputation_impact': 'Significant (first enforcement under '
"Connecticut's Student Data Privacy "
'Law; public criticism from AGs)',
'data_compromised': ['Student names',
'Birth dates',
'Student ID numbers',
'Demographic information',
'Health records (collected but not confirmed '
'as breached)'],
'financial_loss': '$5.1 million (settlement with NY, CA, CT)',
'identity_theft_risk': 'Moderate (PII exposed but no confirmed '
'misuse)',
'legal_liabilities': ['$1.7 million to New York',
'Mandated data security program overhaul',
'Annual school notifications about data '
'collection',
'Court-ordered compliance with state privacy '
'laws']},
'investigation_status': 'Completed (state-led; company found deficient in '
'investigation efforts)',
'lessons_learned': ['Ed-tech companies face heightened scrutiny for student '
'data protection.',
'Ignoring third-party cybersecurity recommendations can '
'lead to severe breaches.',
'State AGs are increasingly collaborating on cross-border '
'enforcement for data privacy.',
'Contractual data retention/deletion obligations must be '
'strictly followed.',
'Proactive vulnerability management and access controls '
'are critical for sensitive data.'],
'post_incident_analysis': {'corrective_actions': ['Court-mandated data '
'security program with '
'encryption, access '
'controls, and monitoring.',
'Annual transparency '
'reports to schools about '
'data collection.',
'$5.1M settlement funding '
'state enforcement efforts.',
'Potential internal '
'restructuring (implied but '
'not detailed).'],
'root_causes': ['Neglect of 2020 cybersecurity '
'vendor recommendations (account '
'management, password policies).',
'Lack of encryption for sensitive '
'student data.',
'Over-permissive account access '
'and failure to decommission '
'inactive accounts.',
'Absence of formal vulnerability '
'remediation processes.',
'Inadequate network monitoring for '
'suspicious activity.',
'Non-compliance with data '
'retention/deletion contractual '
'obligations.']},
'recommendations': ['Implement end-to-end encryption for all student data.',
'Adopt zero-trust principles for account permissions and '
'decommissioning.',
'Establish continuous network monitoring with anomaly '
'detection.',
'Conduct regular third-party security audits and act on '
'findings.',
'Develop transparent data inventory practices with annual '
'school disclosures.',
'Train staff on privacy laws specific to student data '
'(e.g., FERPA, state laws).',
'Create incident response playbooks tailored to education '
'sector risks.'],
'references': [{'source': 'New York Attorney General Press Release'},
{'source': 'Connecticut Attorney General Public Statement'},
{'source': 'California Attorney General Public Statement'},
{'source': 'NY Assurance of Discontinuance Letter (2020 vendor '
'warning)'}],
'regulatory_compliance': {'fines_imposed': '$5.1 million (settlement)',
'legal_actions': ['Assurance of Discontinuance (NY)',
'Court-ordered data security '
'program',
'Mandated annual disclosures'],
'regulations_violated': ['New York Education Law § '
'2-d',
'California Consumer '
'Privacy Act (CCPA) - '
'heightened obligations '
"for children's data",
'Connecticut Student Data '
'Privacy Law (first '
'enforcement action)',
'Potential FERPA (Family '
'Educational Rights and '
'Privacy Act) violations'],
'regulatory_notifications': ['New York Attorney '
'General Letitia James',
'California Attorney '
'General Rob Bonta',
'Connecticut Attorney '
'General William '
'Tong']},
'response': {'communication_strategy': ['Public statements by NY/CA/CT '
'Attorneys General',
'Court-ordered annual disclosures to '
'schools'],
'enhanced_monitoring': 'Mandated post-settlement',
'incident_response_plan_activated': 'No (failed to conduct '
'complete investigation '
'post-breach)',
'remediation_measures': ['Mandated encryption of all '
'collected/stored data',
'Access limitation policies',
'Network monitoring for suspicious '
'activity',
'Formal vulnerability '
'tracking/remediation process',
'Annual school notifications about data '
'collection types'],
'third_party_assistance': 'Yes (unnamed cybersecurity vendor in '
'2020, but recommendations ignored)'},
'stakeholder_advisories': ['School districts must be notified annually about '
'data collection types (e.g., health records).',
'Parents/guardians likely received breach '
'notifications (implied but not detailed).'],
'title': 'Illuminate Education Data Breach and $5.1 Million Settlement for '
'Student Data Protection Failures',
'type': ['Data Breach', 'Privacy Violation', 'Regulatory Non-Compliance'],
'vulnerability_exploited': ['Unencrypted student data',
'Lack of account management (inactive accounts '
'not decommissioned)',
'Excessive account permissions',
'Insufficient network monitoring for suspicious '
'activity',
'Failure to remediate known vulnerabilities',
'Improper data retention (post-contract)']}