In 2021, Illuminate Education Inc., an educational technology company providing software for tracking student attendance, grades, and mental health data, suffered a data breach exposing the personal information of **1.7 million New York students**, along with affected students in Connecticut and California. Hackers exploited the credentials of a **former employee** to access unencrypted database files, compromising sensitive data such as **student names, birth dates, and demographic information**. The breach stemmed from the company’s failure to implement basic security measures, including **inactive account deactivation, data encryption, access restrictions, and suspicious activity monitoring**. New York’s Attorney General secured a **$1.7 million settlement** (part of a **$5.1 million multi-state agreement**) mandating stricter cybersecurity protocols, including data encryption, access controls, and anomaly detection systems. The incident underscored vulnerabilities in handling **student data**, eroding trust among schools, parents, and educators.
Illuminate Education, Inc. cybersecurity rating report: https://www.rankiteo.com/company/illuminate-education
"id": "ill5492254111125",
"linkid": "illuminate-education",
"type": "Breach",
"date": "6/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.7 million students in New '
'York; additional students in '
'Connecticut and California '
'(total scope unspecified)',
'industry': 'Education Technology (EdTech)',
'location': 'California, USA',
'name': 'Illuminate Education Inc.',
'size': 'Serves 17 million students, 5,200 districts '
'and schools in the U.S.',
'type': 'Educational Technology Company'},
{'customers_affected': '750 schools in New York',
'industry': 'Education',
'location': 'New York, USA',
'name': 'New York State Education Department',
'type': 'Government Agency'}],
'attack_vector': 'Compromised credentials (former employee)',
'data_breach': {'data_encryption': 'No (data was unencrypted)',
'data_exfiltration': 'Yes (unencrypted database files '
'downloaded)',
'file_types_exposed': 'Database files',
'number_of_records_exposed': '1.7 million (New York) + '
'unspecified numbers in '
'Connecticut and California',
'personally_identifiable_information': 'Yes (student names, '
'birth dates, '
'demographic '
'information)',
'sensitivity_of_data': 'High (includes names, birth dates, '
'demographic info)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2023',
'description': 'New York reached a $1.7 million settlement with Illuminate '
'Education Inc. after a 2021 data breach exposed the personal '
'information of 1.7 million students statewide. Hackers '
'accessed the company’s system using credentials of a former '
'employee and downloaded unencrypted database files containing '
'student names, birth dates, and demographic information. The '
'breach also affected students in Connecticut and California. '
'The company failed to implement basic security measures like '
'monitoring suspicious activity, encrypting data, deactivating '
'inactive accounts, and limiting data access.',
'impact': {'brand_reputation_impact': 'Significant (loss of trust from '
'students, parents, teachers, and '
'regulators)',
'data_compromised': ['Student names',
'Birth dates',
'Demographic information'],
'financial_loss': '$1.7 million (settlement for New York), $5.1 '
'million (total settlements across affected '
'states)',
'identity_theft_risk': 'High (personal information exposed)',
'legal_liabilities': '$5.1 million in settlements across multiple '
'states (New York, Connecticut, California)',
'systems_affected': ['Illuminate Education’s database systems']},
'initial_access_broker': {'entry_point': 'Compromised credentials of a former '
'Illuminate Education employee',
'high_value_targets': 'Student databases (academic, '
'behavioral, and demographic '
'data)'},
'investigation_status': 'Completed (settlement reached)',
'lessons_learned': ['Importance of deactivating inactive user accounts '
'promptly',
'Necessity of encrypting sensitive data (especially '
'student records)',
'Need for continuous monitoring of suspicious activity',
'Limiting data access to authorized personnel only',
'Proactive cybersecurity measures to prevent '
'credential-based attacks'],
'post_incident_analysis': {'corrective_actions': ['Implementation of stronger '
'cybersecurity policies '
'(per settlement)',
'Data encryption for '
'student records',
'Access limitation '
'protocols',
'Anomalous activity '
'monitoring system'],
'root_causes': ['Failure to deactivate former '
'employee credentials',
'Lack of data encryption',
'Inadequate monitoring for '
'suspicious activity',
'Overly permissive data access '
'controls']},
'recommendations': ['Implement multi-factor authentication (MFA) for all user '
'accounts',
'Regularly audit and deactivate inactive or former '
'employee accounts',
'Encrypt all sensitive data at rest and in transit',
'Deploy anomaly detection systems to monitor for '
'unauthorized access',
'Conduct third-party security assessments and penetration '
'testing',
'Train employees on cybersecurity best practices and '
'phishing awareness'],
'references': [{'source': 'The Journal News/lohud & USA Today Network'},
{'source': 'Office of Attorney General Letitia James (New '
'York)'}],
'regulatory_compliance': {'fines_imposed': '$1.7 million (New York), $5.1 '
'million (total across affected '
'states)',
'legal_actions': 'Settlements with attorneys '
'general in New York, Connecticut, '
'and California'},
'response': {'communication_strategy': 'Public statement by New York Attorney '
'General Letitia James; settlement '
'announcements',
'enhanced_monitoring': 'Established as part of settlement '
'requirements',
'remediation_measures': ['Adoption of stronger cybersecurity '
'measures (post-settlement)',
'Policies to limit access to student '
'data',
'Data encryption for student records',
'System to monitor anomalous activity']},
'stakeholder_advisories': 'Public statements by New York Attorney General; '
'advisories likely issued to affected schools and '
'districts',
'threat_actor': 'Unknown hackers',
'title': 'Data Breach Exposing Personal Information of 1.7 Million New York '
'Students',
'type': 'Data Breach',
'vulnerability_exploited': ['Lack of monitoring for suspicious activity',
'Unencrypted data storage',
'Inactive user accounts not deactivated',
'Excessive data access privileges']}