A recent settlement with an education service provider and three states – California, Connecticut, and New York – serves as a reminder to deactivate the credentials of departed employees. The case arose following a data breach suffered by Illuminate Education, which provides assessment software to K-12 school systems. As part of its services, the company stores sensitive details like students’ special education and accommodation needs.
In 2021, a hacker accessed the company’s network using the administrative-level credentials of a former employee. The hacker created new accounts and exfiltrated the personal information of millions of students. The states alleged that failing to turn off the credentials of the former employee directly led to the 2021 breach. This, they argued, was a violation of their respective student privacy laws and was an unfair trade practice.
To settle the matter, the company agreed to pay $5.1 million: California will receive $3,250,000, Connecticut $1,700,000, Connecticut, and $150,000 will go to New York. The company also agreed to modify its security measures. Among other things, it will create and maintain data inventories, as well as limit data retention periods. It will also strengthen its access control and authentication processes.
Putting it into Practice: Threat actors are using more sophisticated tools to identify vulnerabilities. This settlement serves as a reminder to establish a clear process for removing credentials of departing employees. Especially those who may have been systems administrators.
Further contributions to this article by Angela Banks, Cybersecurity & Privacy Fellow
