An educational technology provider has agreed to implement a data security program and delete unnecessary data to settle allegations that poor security practices led to a massive 2021 data breach.

The Federal Trade Commission (FTC) on Monday announced the agreement with Wisconsin-based Illuminate Education. The agency alleges that Illuminate told customers it protected their data but in reality had shoddy network security, leading to the breach of personal data belonging to 10.1 million students in December 2021. 

A hacker used credentials belonging to a former employee to breach Illuminate’s database, which was stored on a third-party cloud provider, the FTC said. The former employee had left the company three and a half years before the credentials were used, according to the agency.

Data accessed by the hacker included email and mailing addresses, dates of birth, student records and health information, the FTC said.

Illuminate said on its website that it safeguards “your data like it’s our own” and that it takes “security measures—physical, electronic, and procedural—to help defend against the unauthorized access and disclosure of your information.”

Contracts with school systems misrepresented the company’s security practices by falsely claiming student data was encrypted, according to the FTC.

A third-party vendor allegedly notified Illuminate that its network was vulnerable to hacking in January 2020, but the company did not address the problems, the FTC said. The security deficiencies included “failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, and vulnerability monitoring and patch management practices,” the FTC said in a blog post.  

Illuminate also stored student data in plain text until at least January 2022, according to the agency.

The company waited nearly two years to tell some school districts about the breach, impacting more than 380,000 students who were unaware that their data had been hacked.

Illuminate has agreed to no longer deceive customers about its security protocols, alert school districts about breaches quickly and delete personal data that it no longer needs to provide services as part of the settlement agreement. 

The firm also has agreed to adhere to a publicly available data retention schedule that lays out deletion timeframes, establish a comprehensive information security program and notify the FTC if it has reported a data breach to another federal, state, or local government.

A spokesperson for Illuminate did not immediately respond to a request for comment.