The Federal Trade Commission (FTC) said on Dec.1 that a majority of its commissioners approved the agency taking legal action against edtech services provider Illuminate following a breach, “which allowed hackers to access the personal data of more than 10 million students.”
The federal government antitrust watchdog agency said in a press release that its commissioners voted 2-0 to accept a proposed complaint against Illuminate Education and order to seek public comment in the matter and a related consent order.
The FTC said it will take comments for at least 30 days after publishing the call for comments in the Federal Register “soon.”
At the heart of the FTC’s allegations is that Illuminate Education “claimed to protect the privacy and security of the data it maintains but failed to deploy reasonable security measures to protect student data stored in cloud-based databases.”
“These failures led to a major data breach,” the agency is claiming in published documents related to the case.
The agency said its proposed settlement terms with the company will require Illuminate Education to implement the new data security program and delete unnecessary student data that it still retains.
“Illuminate pledged to secure and protect personal information about children and failed to do so,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, in a statement from the agency.
“Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data,” Mufarrige said.
“On its website, the company claimed that it protects ‘your data like it’s our own’ and that it takes ‘security measures – physical, electronic, and procedural – to help defend against the unauthorized access and disclosure of your information,’” the FTC said.
“In contracts with school systems, the company represented it implemented practices and procedures designed to meet or exceed private industry best practices and pledged to take specific steps to protect and secure student data, such as encrypting it,” the agency added.
According to the FTC, Illuminate Education was told by a vendor as early as January 2020 that “there were numerous security vulnerabilities on its network, but the company failed to take steps to adequately correct these problems.”
“These alleged security failures included failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, and vulnerability monitoring and patch management practices”, the agency said, adding, “They also included storing student data in plain text until at least January 2022.”