The fallout continues from Illuminate Education’s enormous data breach.
A Washington-based think tank has revoked Illuminate Education’s status as a pledged signatory to a student privacy protection pact that includes hundreds of other education companies. The Future of Privacy Forum, a nonprofit that seeks to bring together consumer advocates, industry, and others in support of data privacy, also said it referred the ed-tech vendor to federal and state authorities.
The decision by the FPF to remove Illuminate Education from the Student Privacy Pledge, a voluntary data protection commitment, marks the first time a company has been removed from the list of signatories.
It comes months after a cyberattack on Illuminate Education, which provides integrated K–12 technology systems with tools for instruction, assessment, and data analytics, compromised the personal information of students at two of the nation’s two largest public school systems — New York City and Los Angeles.
The full extent of the data breach is still unknown, but districts in a number of states have said they believe their information was also affected, according to public statements and news reports.
Illuminate Education has not revealed how many students have had their information compromised. In a statement, the company said that it was disappointed with being removed from the pledge and has “made enhancements” to its security and privacy protocols.
New York City officials announced in March that the personal data of some 820,000 current and former students had been compromised, marking what is believed to be the single biggest cyberattack on a single school district in U.S. history. Since then, more districts have acknowledged that they were also hacked.
Aside from New York and Los Angeles, media reports say the data breach has also touched districts in Colorado, Connecticut, Oklahoma, and Washington state.
Focus on Encryption
Created in 2014 by the FPF and the Software and Information Industry Association, the pledge includes voluntary commitments from education companies to securely handle data — a self regulatory tool that education companies have used to market their products to districts.
There are currently more than 245 signatories, including ed-tech vendors such as Amplify, Canvas, Dreambox Learning, McGraw Hill, and PowerSchool.
The FPF said in a statement that it launched a review of “publicly available” information and spoke directly with Illuminate Education about the data breach.
The review “appears to confirm that Illuminate Education did not encrypt all student information while at rest and in transit,” which violates provisions of the pledge, the organization said.
“In multiple communications with Illuminate, the company would not state that it encrypted all student information while at rest and in transit during the relevant time periods,” the FPF said.
Along with revoking the ed-tech vendor’s status as a signatory, the FPF said it also referred Illuminate Education to the Federal Trade Commission and state attorneys general in New York and California, where two of the largest breaches occurred and where the company is headquartered.
“Noncompliance with the pledge when publicly attesting to compliance may be a misleading and deceptive business practice under federal and state law if confirmed by those agencies,” the privacy forum said.
For its part, Illuminate Education said in a statement it would move forward and “continue to monitor and enhance the security of our systems.”
“We will continue to work with students and school districts to resolve any concerns related to this matter while prioritizing the privacy and protection of the data we maintain,” the company said.
The FTC warned ed-tech providers recently against violating provisions of federal law pertaining to collecting information without their parents’ consent. Families and schools, the agency said, are currently forced to “navigate an industry that is dominated by the commercial surveillance business model.”
Image by Getty