OAKLAND - California Attorney General Rob Bonta, Connecticut Attorney General William Tong, and New York Attorney General Letitia James today announced that they have secured $5.1 million and injunctive terms from educational technology company Illuminate Education, Inc. (Illuminate) for failing to protect students' data. In 2021, Illuminate experienced a data breach that exposed the information of millions of students, including California students across 49 school districts. The breached data included sensitive personal and medical information, such as student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions. Of the three million California students impacted by the breach, more than 434,000 had sensitive information stolen. As part of the three separate settlements with the states, Illuminate has agreed to pay California $3.25 million in civil penalties and has agreed to comply with requirements to strengthen its data security practices.

"Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids," said Attorney General Rob Bonta. "Today's settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children's' information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents' data. Data security concerns know no borders, and as today's settlements showcase, neither should state collaboration."

"Technology is everywhere in schools today, and Connecticut's Student Data Privacy Law requires strict security to protect children's information. Illuminate failed to implement basic safeguards, and exposed the personal information of millions of students, including thousands here in Connecticut," said Attorney General Wiliam Tong. "This action-Connecticut's first ever under the Student Data Privacy Law-holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously."

"Students, parents, and teachers should be able to trust that their schools' online platforms are safe and secure," saidAttorneyGeneral Letitia James. "Illuminate violated that trust and did not take basic steps to protect students' data. Today's settlements will ensure that Illuminate protects students' data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online."

In December 2021, a hacker accessed Illuminate's network using the credentials of a former employee who had left the company years earlier. The hacker then created new credentials to enable future access to Illuminate's network and data and spent several days stealing and deleting student data.

The investigation by the California Department of Justice determined that Illuminate failed to carry out basic security procedures to protect students' information. First, Illuminate failed to terminate the login credentials of former employees, resulting in the credentials of a former employee with a high level of access to Illuminate's systems remaining active after his departure from the company. Second, Illuminate did not monitor and alert for suspicious logins and activity. Third, Illuminate did not secure its back up databases separately from its active databases. As a result, the backup databases were compromised when the attacker compromised the active database, negating the purpose of maintaining a backup. Moreover, Illuminate made false and misleading statements in its Privacy Policy, including stating that it took steps to prevent unauthorized access and disclosure of information and that its measures "meet or exceed the requirements of applicable federal and state law," when that was not the case. Illuminate also deceptively advertised that it was a signatory of the Future of Privacy Forum's "Student Privacy Pledge," but was later dropped from the list of signatories as a result of the breach.

As a result of today's settlements, Illuminate must pay a total of $5.1 million to the states, including $3.25 million to California. In addition, as part of California's settlement, subject to court approval, Illuminate has agreed to:

• Implement appropriate access control and account management, including terminating the credentials of former employees and conducting audits to check that all valid credentials belong only to current employees.
• Implement appropriate real-time monitoring and alerts for suspicious access and activity.
• Implement appropriate safeguards to protect backup databases, such as not storing backup databases within the same network segment as original databases.
• Inform California DOJ of breaches involving student data.
• Provide reminders to school districts that they should perform a review of the student data stored by Illuminate on the school's behalf, including reminders related to retention and deletion of student data.

Today's settlement marks DOJ's first enforcement action involving California's K-12 Pupil Online Personal Information Protection Act (KOPIPA), which requires operators of online services used for K-12 school purposes to implement and maintain reasonable security procedures and practices to protect student data.

Attorney General Bonta is committed to ensuring business follow the law when it comes to consumers' data - including children's data:

Last month, Attorney General Bonta secured a $530,000 settlement with streaming service Sling TV resolving allegations that the company failed to provide an easy-to-use method for consumers to stop the sale of their personal information and failed to provide sufficient privacy protections for children. In 2024, Attorney General Bonta secured a $6.75 million settlement with Blackbaud, a South Carolina-based software company, for violating consumer protection and privacy laws related to its unlawful data security practices. Blackbaud's failure to implement reasonable data security led to a data breach in 2020. Also last year, Attorney General Bonta and Los Angeles City Attorney Hydee Feldstein Soto, announced a $500,000 settlement with Tilting Point Media resolving allegations that the company violated the state and federal privacy laws by collecting and sharing children's data without parental consent in their popular mobile app game "SpongeBob: Krusty Cook-Off."

A copy of the complaint can be found here. A copy of the proposed judgment, which remains subject to court approval, can be found here.