Illuminate Education, Inc. Breach Incident Score: Analysis & Impact (ILL5492254111125)

In this Rankiteo incident briefing, we review the Illuminate Education, Inc. breach identified under incident ID ILL5492254111125.

The analysis begins with a detailed overview of Illuminate Education, Inc.'s information like the linkedin page: https://www.linkedin.com/company/illuminate-education, the number of followers: 14368, the industry type: Software Development and the number of employees: 81 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 597 and after the incident was 399 with a difference of -198 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Illuminate Education, Inc. and their customers.

Illuminate Education Inc. recently reported "Data Breach Exposing Personal Information of 1.7 Million New York Students", a noteworthy cybersecurity incident.

New York reached a $1.7 million settlement with Illuminate Education Inc.

The disruption is felt across the environment, affecting Illuminate Education’s database systems, and exposing Student names, Birth dates and Demographic information, with nearly 1.7 million (New York) + unspecified numbers in Connecticut and California records at risk, plus an estimated financial loss of $1.7 million (settlement for New York), $5.1 million (total settlements across affected states).

In response, and began remediation that includes Adoption of stronger cybersecurity measures (post-settlement), Policies to limit access to student data and Data encryption for student records, and stakeholders are being briefed through Public statement by New York Attorney General Letitia James; settlement announcements.

The case underscores how Completed (settlement reached), teams are taking away lessons such as Importance of deactivating inactive user accounts promptly, Necessity of encrypting sensitive data (especially student records) and Need for continuous monitoring of suspicious activity, and recommending next steps like Implement multi-factor authentication (MFA) for all user accounts, Regularly audit and deactivate inactive or former employee accounts and Encrypt all sensitive data at rest and in transit, with advisories going out to stakeholders covering Public statements by New York Attorney General; advisories likely issued to affected schools and districts.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including hackers exploited the credentials of a **former employee** to access unencrypted database files, and entry point such as Compromised credentials of a former Illuminate Education employee. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including failure to deactivate former employee credentials, and lack of monitoring for suspicious activity and Valid Accounts (T1078) with high confidence (90%), with evidence including credentials of a **former employee** used for access, and inactive user accounts not deactivated. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (80%), with evidence including inactive user accounts not deactivated, and excessive data access privileges. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (75%), with evidence including lack of monitoring for suspicious activity, and no anomaly detection systems prior to breach and Indicator Removal: File Deletion (T1070.004) with moderate confidence (60%), supported by evidence indicating no mention of logs or alerts during the breach (implied by lack of monitoring). Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (85%), with evidence including downloaded unencrypted database files, and high value targets such as Student databases (academic, behavioral, and demographic data). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including accessed the company’s system... and downloaded unencrypted database files, and database files containing PII were exfiltrated. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), with evidence including downloaded unencrypted database files, and data exfiltration such as Yes (unencrypted database files downloaded). Under the Impact tactic, the analysis identified Data from Cloud Storage (T1530) with moderate to high confidence (85%), with evidence including 1.7 million students PII exposed (names, birth dates, demographic info), and high (includes names, birth dates, demographic info) sensitivity. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.