FTC requires Illuminate Education to shore up security after 2021 data breach

The Federal Trade Commission on Monday announced that it will require the educational technology firm Illuminate Education to implement a data security program and delete “unnecessary” data.

The requirement is a consequence of the firm’s involvement in a data breach in which the personal data of 10 million students was compromised. According to an FTC complaint, the company failed to deploy “reasonable” cloud security measures.

“Illuminate pledged to secure and protect personal information about children and failed to do so,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in a press release. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”

The incident occurred in 2021, when a “hacker” used the credentials of a former employee who’d left the company more than three years prior. to gain access to the company’s data systems, according to the FTC. Information accessed included email addresses, mailing addresses, dates of birth, student records and health information.

A proposed order outlines the steps the company would be required to take. Those include deleting information not needed to provide services to current users, following a publicly available data retention schedule, establishing an information security program and notifying the FTC when it has been involved in other breaches.