Illuminate Education Inc., an American software company that provides services to educational institutions, has leaked data belonging to more than 10 million students via a 10-year-old password created by an employee who left the company long ago.
In January 2022, Illuminate Education suffered a data breach in which an attacker obtained the personal information of 10.1 million students. An employee of Illuminate’s software development team received the alert and notified members of the engineering and DevSecOps teams, who discovered malicious activity in Illuminate’s IO Suite.
The following investigation showed that a threat actor gained access to Illuminate’s Amazon cloud environment (AWS) using existing sets of access key pairs for Identity and Access Management (IAM) users, thus gaining admin-level access. The attacker used this access to generate a token and create a new user with access similar to that of the compromised account.
The keys that the attacker used to access Illuminate’s AWS environment belonged to a former employee who had left the company in 2018 and were approximately 10 years old.
For 13 days straight, the threat actor performed several malicious activities, including modifying Illuminate’s AWS security groups, resetting database passwords, deleting database resources, exfiltrating 787 SQL server backups, and stealing the personal information of more than 10.1 million students.
The exfiltrated data included names, student identification numbers, dates of birth, email addresses, usernames, passwords, demographic information such as race, home language, foster status, homelessness status, economic status, disability information, special education needs information, and disciplinary incident information.
According to the Federal Trade Commission (FTC), Illuminate’s cybersecurity left much to be desired, and it had been warned about this.
From 2020 to 2022, a third-party cybersecurity firm conducted annual Cybersecurity Assessments and NIST Cybersecurity Framework Assessments. The external company assessed that Illuminate’s network contained several vulnerabilities that needed to be addressed, including outdated software, weak login credentials, and insecure system configurations.
“Despite receiving the vendor’s corrective action plan, Illuminate failed to adequately address the security failures that had been identified,” the FTC concludes. The competition regulator also accuses Illuminate of failing to promptly notify schools of the breach.
The FTC has now settled with Illuminate. The software developer can no longer make misleading claims about its own data security and privacy practices.
In addition, it must delete and refrain from storing unnecessary student data, implement a data retention schedule, establish an information security program to protect personal data, and notify the FTC if it experiences a new data breach.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked