Three state attorneys general announced Thursday that the educational technology company Illuminate Education will pay a $5.1 million fine and agree to make changes to its business to settle allegations that shoddy security practices led to a 2021 data breach.

The data breach exposed student names, races, coded medical conditions and whether they received special education accommodations. It impacted students in 49 states and three million in California alone.

Several security failings led to the breach, according to a press release from California Attorney General Rob Bonta.

For example, Illuminate allegedly failed to delete the login credentials of former employees, the press release said. The hacker who obtained the private data allegedly used a former Illuminate employee’s credentials to gain access to its network.

The ed tech firm also allegedly failed to monitor its systems for suspicious activity and did not separately secure backup and active databases. Because the databases were not separated, the press release said, the backup databases were also compromised when the active database was breached.

Illuminate also allegedly made false statements in its privacy policy, which told users its practices “meet or exceed the requirements of applicable federal and state law." 

The firm has agreed to bolster its access control and account management practices, do real time monitoring for suspicious activity and stop storing backup databases in the same network as active ones, the press release said.

Bonta brought the action alongside Connecticut Attorney General William Tong and New York Attorney General Letitia James.

Illuminate did not immediately respond to a request for comment.