"The breach at Illuminate exposed highly-sensitive records tied to 10.1 million students: email and postal addresses, dates of birth, student records, and even health-related information. Illuminate had marketed itself to school districts as a trustworthy custodian of student information, promising to handle data "as if it's our own" and using contract language that portrayed its security posture as compliant with best practices, including encryption and the usual trimmings."
"But the FTC says the company failed to deliver on those promises. As early as January 2020, a third-party vendor alerted Illuminate to "numerous security vulnerabilities" in its network, yet the company allegedly did little to plug the holes. Among the alleged failures were storing student data in plain text at least until January 2022, lacking reasonable access controls, and neglecting threat detection, vulnerability monitoring, and patch management."
An attacker used credentials of a former employee to breach an edtech firm's cloud database in late December 2021, exposing highly sensitive records for 10.1 million students, including emails, postal addresses, dates of birth, student records, and health information. A third-party vendor alerted the company to numerous security vulnerabilities as early as January 2020, but the company allegedly failed to remediate issues. Alleged failures include storing student data in plain text until January 2022, lacking reasonable access controls, and neglecting threat detection, vulnerability monitoring, and patch management. The FTC demanded changes without imposing fines or criminal charges; some districts were not notified promptly, leaving about 380,000 students uninformed for nearly two years.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]