FTC Nails Ed Tech Company on Security Failures

The Federal Trade Commission is ordering an education technology vendor to adopt a new data security program after a massive data breach in 2022. No monetary penalties involved, but for cybersecurity and privacy professionals looking for the latest enforcement messages from the Trump Administration, this one is worth studying.

The company in question is Illuminate Education, which sells software to school districts so that teachers can record test scores, student assessments, and similar data for future analysis. If you’re a parent and you’ve ever received those assessments saying, “Your student is in this percentile for education performance,” Illuminate is one of the companies that manages all the back-end work for those reports.

Anyway, the FTC announced a proposed settlement on Monday that would require Illuminate to implement sweeping data security improvements. Technically the settlement is subject to public comment for 30 days before the FTC takes a final vote, but for our purposes today even the proposal is worth studying to see what went wrong at Illuminate and the remediation measures that the FTC now wants Illuminate to take.

We can begin with a close read of the FTC complaint against Illuminate, which describes how the breach happened. The short version is that hackers acquired the credentials of a former Illuminate employee, and then used those credentials to log into Illuminate’s IT systems in late December 2024. The hackers then pilfered data for roughly two weeks, including highly sensitive personal information about students’ learning disabilities, medical conditions, and academic performance. 

The hackers also launched a ransomware attack against Illuminate, which the company did eventually pay; but the hackers didn’t restore all of the stolen data, and nobody knows whether the hackers didn’t keep copies of the data for themselves anyway. 

Then, to top everything off, Illuminate’s breach disclosure practices to families and school districts were a mess, with some victims not notified for 18 months. At the time, Illuminate’s internal policies stated that upon discovering a breach (which Illuminate did on Jan. 8, 2022) all affected parties should be notified within 72 hours.

Deeper Dive Into Control Failures

When you look more closely at the complaint against Illuminate and how that 2022 breach actually happened, two big lessons for internal control and security professionals become painfully clear.

First is the importance of identity access management, or IAM. If you don’t have effective controls to manage who has access to which parts of your IT systems, you’re sunk. 

In this case, the hackers had obtained access credentials of an Illuminate employee who (a) had senior administrative access privileges; and (b) had left the company in April 2018. Somehow, however, that ex-employee’s credentials were still active and the hackers used them undetected for nearly two weeks. We can count at least two internal control failures here:

• Failure to terminate that employee’s credentials when he or she left the company. That should be standard fare for all employees, and it’s an even higher priority for employees with senior administrator roles.
• Failure to detect the ex-employee’s new activity on the network, which should have been flagged as suspicious and triggered an alert to IT security teams.

I also suspect we could add a third failure: to use multi-factor authentication (MFA). That’s not expressly cited in the FTC complaint, but best practice is to require MFA for all log-ins when an account belongs to a user with senior administrator authority, which these compromised credentials did. So even if a set of credentials hadn’t been de-activated when the employee left, MFA would be a backup defense to stop the hackers cold. I’m not sure what happened here with Illuminate, but MFA for all log-ins from senior users should be a go-to move. 

Our second big lesson is the importance of acting on audits in a timely manner, because Illuminate had conducted assessments of its security posture before the breach that raised serious concerns — and those concerns went unaddressed. 

For example, Illuminate did commission an independent review of its security regime in 2020 (good), and that assessment identified major security vulnerabilities including Illuminate’s weak IAM practices, outdated software, weak credentials, and insecure system configurations. The assessment team even provided an action plan to address those issues.

Unfortunately, Illuminate didn’t implement those corrective actions in a timely manner. That same auditor flagged those same issues again in early 2021. By October 2021 Illuminate had hired a director of data privacy and security (again, good) and that person also noted that the company lacked adequate controls for theft detection and monitoring.

Folks, you can only document a control failure for so long. If the thing doesn’t get fixed, that’s a control environment failure because senior management and the board aren’t pushing hard enough to get issues resolved. Clearly for a company such as Illuminate — collecting reams of sensitive personal data about children — data security should have been risk no. 1, 2, and 3. 

I’ve said before that unaddressed audit issues are a grave warning sign about your corporate culture and control environment, because they show that senior leadership isn’t getting known risks addressed. Apparently I need to say it again now. Sigh.

Security Remediation Plans

The proposed settlement with Illuminate is long, and calls for all the usual elements one would expect in cases like these. For example:

• Third-party assessments of the company’s information security program, done every other year for the next 10 years.
• Mandatory deletion of any unnecessary data within the next 90 days, plus a new data retention and deletion program that must be posted publicly on Illuminate’s website.
• Improved recordkeeping, including records of all employees and third-party contractors and records of all customer complaints related to security; which must be created for the next 10 years and preserved for five years after creation.
• Annual certifications submitted to the FTC, signed by the CISO, attesting to Illuminate’s compliance with the settlement terms.
• Disclosure of cybersecurity incidents to the FTC within 14 days of the company discovering the breach. 

Most importantly, Illuminate must also implement an effective information security program. That means a qualified person designated to run the program (presumably the CISO), who must develop a written program and report to the board at least once a year on the state of the program. The program must also perform an information security risk assessment at least once a year, or within three months of any significant security incident. 

OK, cool cool, but let’s get to the good stuff: the policies, procedures, and technical controls that Illuminate needs to implement. That includes measures… 

• To inventory and classify the data under Illuminate’s control;
• To log and monitor access to all data, systems, and other IT assets;
• To log all “anomalous events,” including unauthorized attempts to access and remove data from Illuminate’s networks;
• To limit employees’ and contractors’ access to only the systems and data they need to do their jobs, and to terminate access within 30 days of some change in the user’s need to know;
• To keep sensitive data encrypted while both in transit and at rest.
• To require multi-factor authentication for all employees’ access of confidential data.

We could keep going, and perhaps we will in future posts. Suffice to say that this enforcement action reads like a blueprint of what the FTC wants to see for effective information security programs. So if you want an example of what you should be doing already, to avoid enforcement encounters like Illuminate suffered, give this one a read.