Three state attorneys general have also now imposed penalties and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach. 

The ones that haven鈥檛 made progress in their efforts to hold Illuminate accountable are parents and students. Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data 鈥� including grades, special education information and medical records 鈥� didn鈥檛 constitute a concrete harm.

The federal appeals court of a proposed class-action lawsuit filed by families whose children鈥檚 information was compromised. The court concluded the plaintiffs lacked standing because they did not demonstrate actual damage from the breach or an 鈥渋mminent and substantial鈥� risk of future identity theft. In the years since the cyberattack was carried out, the court concluded, there was no evidence that the records, which did not include Social Security numbers, had been misused to commit identity theft. 

鈥淚t has been more than three years since the breach,鈥� the court wrote, 鈥渁nd no fraud has occurred, nor is the kind of information at issue the kind that this court normally considers sufficient to find a credible threat of identity theft.鈥� 

Under announced by the FTC this month, Illuminate will be required to create a 鈥渃omprehensive information security program,鈥� delete any student data it is no longer using and notify the commission of any future data breaches. Regulators allege a third-party company hired by Illuminate to assess its cybersecurity safeguards raised red flags but Illuminate failed to heed those warnings a year before it was hacked using the compromised credentials of a former employee.

鈥淚lluminate pledged to secure and protect personal information about children and failed to do so,鈥� Christopher Mufarrige, director of the FTC鈥檚 Bureau of Consumer Protection, said in a media release this month. The FTC action, Mufarrige continued, should serve as a warning to other companies that the commission 鈥渨ill hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children鈥檚 medical diagnoses and other personal data.鈥�

After the data breach, which affected the country鈥檚 two largest school districts in New York City and Los Angeles among others, Illuminate was by another education technology company, in 2022. Since then, a Renaissance spokesperson said in a statement to 社区黑料 this week, Illuminate products have been incorporated into its 鈥渃ybersecurity and data protection program.鈥� 

鈥渞obust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators and families,鈥� the spokesperson said.

The FTC action comes on the heels of last month, when state attorneys general in California, Connecticut and New York secured a combined $5.1 million in penalties from Illuminate, along with cybersecurity requirements that resemble the FTC鈥檚 demands. State investigators similarly alleged sweeping security flaws at the company, including the failure to monitor suspicious activity and deactivate the inactive user accounts of former employees. 

A California Department of Justice that Illuminate made 鈥渇alse and misleading statements鈥� about its cybersecurity safeguards in its privacy policy and 鈥渄eceptively advertised鈥� to school districts that it was a signatory of the nonprofit Future of Privacy Forum鈥檚 now-defunct 鈥淪tudent Privacy Pledge.鈥� 

The voluntary pledge, , sought to hold education technology companies accountable for maintaining 鈥渁 comprehensive security program鈥� to protect students鈥� personal information and to prevent the sale of student records for targeted advertising. 

Illuminate became the first ed tech company to get booted from the pledge after reporting by 社区黑料 called into question its utility in holding tech firms accountable for failing to meet its provisions. 

The multistate Connecticut regulators reached a settlement under its state student data privacy law 鈥� which was enacted nearly a decade ago. 

鈥淭echnology is everywhere in schools today, and Connecticut鈥檚 Student Data Privacy Law requires strict security to protect children鈥檚 information,鈥� Connecticut Attorney General William Tong said in a statement. The settlement 鈥渉olds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.鈥�

The Massachusetts teenager set to be sentenced next week for  was a 鈥渟easoned cybercriminal鈥� who has targeted educational institutions, government agencies and corporations since 2021, my latest investigation reveals. 

Good morning and thank you for tuning in for a special edition of . Today, I turn your attention to Matthew Lane, who was a 19-year-old college freshman when he pleaded guilty earlier this year to carrying out a cyberattack on PowerSchool, stealing sensitive data from millions of students and teachers and leveraging it into 

In my latest story published this morning, I reveal how  according to threat intelligence research conducted by the cybersecurity company Cyble and provided exclusively to 社区黑料. The company鈥檚 findings, which mirror sentencing documents released by federal prosecutors on Wednesday, conclude that Lane used advanced techniques to take down his targets including PowerSchool 鈥� a cyberattack attack that represented 鈥渁 predictable escalation rather than an isolated incident.鈥�

Federal prosecutors used similar language, maintaining that Lane鈥檚 鈥渃rimes were not a mistake resulting from an isolated lapse in judgment,鈥� but rather part of a pattern of criminal cyber activity that dates back to at least 2021.

In an analysis of digital fingerprints and data breaches, Cyble analysts concluded that Lane had been  when he was still in high school. Targets included an alcoholic beverage company, a major U.S. supermarket chain, an Indonesian telecommunications company and the Colombian armed forces, Cyble said. In Wednesday鈥檚 memo, prosecutors allege that Lane has hacked at least eight targets, including 鈥渇oreign government entities.鈥� To this day, prosecutors said, most of the millions of dollars he extorted remains unaccounted for.

In federal district court in Worcester, Massachusetts, on Tuesday, they will ask the judge to sentence Lane, who was known to many in his life as a soft-spoken gamer and skilled computer programmer, to seven years in prison and more than $14 million in restitution.