NEW YORK – New York Attorney General Letitia James, California Attorney General Rob Bonta, and Connecticut Attorney General William Tong today announced that they have secured $5.1 million from educational technology company Illuminate Education, Inc. (Illuminate) for failing to protect students’ data. Illuminate provides software to schools and school districts across the country to track students’ attendance and grades and to monitor students’ academic, behavioral, and mental health development. In 2022, Illuminate experienced a data breach that exposed the personal information of millions of students, including 1.7 million students in New York. An investigation by the Office of the Attorney General (OAG) and the New York State Education Department (NYSED) found that Illuminate failed to implement basic security measures to protect students’ data, including failing to monitor for suspicious activity on their platforms. As a result of today’s settlements, Illuminate must pay $5.1 million and take steps to enhance and strengthen their cybersecurity practices.
“Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure,” said Attorney General James. “Illuminate violated that trust and did not take basic steps to protect students’ data. Today’s settlements will ensure that Illuminate protects students’ data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online.”
“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information,” said Attorney General Tong. “Illuminate failed to implement basic safeguards and exposed the personal information of millions of students, including thousands here in Connecticut. This action—Connecticut’s first ever under the Student Data Privacy Law—holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
“Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids,” said Attorney General Rob Bonta. “Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents’ data. Data security concerns know no borders, and as today’s settlements showcase, neither should state collaboration.”
“Administrators, caregivers, and students should feel confident that the software platforms used in schools uphold the highest standards of data security and privacy,” said NYSED Commissioner Rosa. “By failing to follow even the most basic security protocols, Illuminate exposed the personal information of millions of students to bad actors—an egregious breach of trust and data protection. I thank the attorneys general—especially Letitia James of New York—for their partnership in this investigation and commend them for their unwavering dedication to safeguarding the personal information of our students and families.”
In December 2021, hackers were able to access one of Illuminate’s online accounts using the credentials of a former employee who had left the company years earlier. The hackers then downloaded unencrypted database files containing the information of approximately 1.7 million current and former New York students from approximately 750 schools. The student information included student names, birth dates, student ID numbers, and demographic information.
The OAG and NYSED determined that prior to the breach, Illuminate had failed to implement reasonable data security practices designed to protect students’ personal information. Among other things, Illuminate failed to encrypt student data, implement appropriate systems and processes to monitor for suspicious activity, decommission inactive user accounts, and limit account permissions to only those that were necessary. Illuminate also failed to delete student data when its contracts with certain school districts ended and failed to conduct a complete investigation following the data breach. In addition, Illuminate made representations about its data security program that ran counter to its actual data security practices.
As a result of today’s settlements, Illuminate must pay $5.1 million, of which New York will receive $1.7 million, in penalties and costs. Illuminate is also required to adopt measures to better protect students’ personal information, including:
- Maintaining a comprehensive information security program that ensures safeguards are in place to protect the security, integrity, and confidentiality of students’ data;
- Establishing and implementing policies and procedures that appropriately limit access to students’ data;
- Encrypting students’ data that it collects, stores, transmits, and/or maintains;
- Establishing and maintaining a system designed to monitor networks and systems for anomalous activity and/or data security events; and
- Establishing and implementing a vulnerability management program designed to track vulnerabilities and apply applicable technical measures to remedy them.
Illuminate must also provide schools with an annual notice that identifies the categories of student data it collects and lets schools identify student records, such as those that are dated or inactive, for deletion.
For New York, this matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Data Security Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.