By Hank Russell
New York Attorney General Letitia James, California Attorney General Rob Bonta, and Connecticut Attorney General William Tong announced on November 6 that they have secured $5.1 million from educational technology company Illuminate Education, Inc. for failing to protect students’ data. New York State is expected to receive $1.7 million from that settlement.
Illuminate provides software to schools and school districts across the country to track students’ attendance and grades and to monitor students’ academic, behavioral, and mental health development. In 2022, Illuminate experienced a data breach that exposed the personal information of millions of students, including 1.7 million students in New York, according to James. An investigation by the Office of the Attorney General (OAG) and the New York State Education Department (NYSED) found that Illuminate failed to implement basic security measures to protect students’ data, including failing to monitor for suspicious activity on their platforms.
“Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure,” James said. “Illuminate violated that trust and did not take basic steps to protect students’ data. Today’s settlements will ensure that Illuminate protects students’ data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online.”
“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information,” Tong added. “Illuminate failed to implement basic safeguards and exposed the personal information of millions of students, including thousands here in Connecticut. This action—Connecticut’s first ever under the Student Data Privacy Law—holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
“Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids,” said Attorney General Rob Bonta. “Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information.”
“Administrators, caregivers, and students should feel confident that the software platforms used in schools uphold the highest standards of data security and privacy,” said NYSED Commissioner Betty A. Rosa. “By failing to follow even the most basic security protocols, Illuminate exposed the personal information of millions of students to bad actors—an egregious breach of trust and data protection. I thank the attorneys general—especially Letitia James of New York—for their partnership in this investigation and commend them for their unwavering dedication to safeguarding the personal information of our students and families.”
In December 2021, hackers were able to access one of Illuminate’s online accounts using the credentials of a former employee who had left the company years earlier. The hackers then downloaded unencrypted database files containing the information of approximately 1.7 million current and former New York students from approximately 750 schools. The student information included student names, birth dates, student ID numbers, and demographic information.
The OAG and NYSED determined that prior to the breach, Illuminate had failed to implement reasonable data security practices designed to protect students’ personal information. Among other things, Illuminate failed to encrypt student data, implement appropriate systems and processes to monitor for suspicious activity, decommission inactive user accounts, and limit account permissions to only those that were necessary. Illuminate also failed to delete student data when its contracts with certain school districts ended and failed to conduct a complete investigation following the data breach. In addition, Illuminate made representations about its data security program that ran counter to its actual data security practices.
As a result of today’s settlements, Illuminate must pay $5.1 million, of which New York will receive $1.7 million, in penalties and costs. Illuminate is also required to adopt measures to better protect students’ personal information, including:
- maintaining a comprehensive information security program that ensures safeguards are in place to protect the security, integrity, and confidentiality of students’ data
- establishing and implementing policies and procedures that appropriately limit access to students’ data
- encrypting students’ data that it collects, stores, transmits, and/or maintains
- establishing and maintaining a system designed to monitor networks and systems for anomalous activity and/or data security events
- establishing and implementing a vulnerability management program designed to track vulnerabilities and apply applicable technical measures to remedy them
Illuminate must also provide schools with an annual notice that identifies the categories of student data it collects and lets schools identify student records, such as those that are dated or inactive, for deletion.
Long Island Life & Politics reached out to Renaissance Learning, which acquired Illuminate in May 2022.
“In January 2022, Illuminate Education experienced a data breach involving unauthorized access to certain school data,” a Renaissance spokesperson said in a statement. “The investigation and settlement are related to that event.”
The spokesperson went on to explain, “Following this event, Illuminate was acquired by Renaissance—a trusted leader in pre-K–12 education technology. Since the acquisition, Renaissance has incorporated the Illuminate products into its cybersecurity and data protection program, which includes robust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators, and families.”