California Attorney General Rob Bonta announced that California secured a $3.25 million settlement with a software maker for failing to protect students’ data.
The settlement also involves two other states, amounting to a total of $5.1 million and injunctive terms from educational technology company Illuminate Education Inc. Connecticut Attorney General William Tong, and New York Attorney General Letitia James were part of the settlement.
In 2021, Illuminate experienced a data breach that reportedly exposed the information of millions of students, including California students across 49 school districts. The breached data included personal and medical information, such as student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions.
Of the 3 million California students impacted by the breach, more than 434,000 had sensitive information stolen, according to Bonta.
As part of the three separate settlements with the states, Illuminate has agreed to pay California $3.25 million in civil penalties and has agreed to enhance its data security practices.
In December 2021, a hacker reportedly accessed Illuminate’s network using the credentials of a former employee who had left the company years earlier. The hacker then created new credentials to enable future access to Illuminate’s network and data and spent several days stealing and deleting student data.
The investigation by the California Department of Justice determined that Illuminate failed to carry out basic security procedures to protect information. Illuminate failed to terminate the login credentials of former employees, it did not monitor and alert for suspicious logins and activity and the company did not secure its back up databases separately from its active databases.
As part of California’s settlement, Illuminate has agreed to:
- Implement appropriate access control and account management, including terminating the credentials of former employees and conducting audits to check that all valid credentials belong only to current employees.
- Implement real-time monitoring and alerts for suspicious access and activity.
- Implement safeguards to protect backup databases.
- Inform the California DOJ of breaches involving student data.
- Provide reminders to school districts that they should perform a review of the student data stored by Illuminate on the school’s behalf.
Topics California
Was this article valuable?
Here are more articles you may enjoy.
Florida Appeals Court Reverses $200M Jury Verdict in Maya Kowalski Case 
Buffett’s Berkshire Cash Hits $382 Billion, Earnings Soar 
Zurich Invests Heavily in Underwriting Talent to Boost Mid-Market, Specialty Growth 
Black Vultures Spreading North, Attacking and Killing Cattle 
