Privacy & Information Security Law Blog

On December 1, 2025, the Federal Trade Commission (“FTC”) announced a proposed settlement with Illuminate Education, Inc. (“Illuminate”), an education technology provider, to resolve allegations that the company’s data security failures led to a data breach affecting the personal information of over 10 million students. The FTC’s enforcement action follows a recent $5.1 million multistate attorney general settlement with the company over the same breach.

The FTC’s complaint alleges that in December 2021, a hacker used the credentials of a former employee to gain unauthorized access to Illuminate’s cloud environment. According to the FTC, the breach affected the personal information of 10 million students, including email and mailing address, date of birth, student records, and health-related information.

The FTC alleges that despite Illuminate’s representations that it safeguards student data, the company failed to implement reasonable security measures. The FTC’s complaint notes that Illuminate stored student data in plain text until at least January 2022 and ignored warnings from a third-party vendor about security vulnerabilities. The FTC also alleges that the company failed to implement reasonable access controls, effective threat detection measures, and vulnerability monitoring and patch management practices. The FTC further alleges that Illuminate delayed notifying its customers of the breach, with certain school districts (comprising more than 380,000 students) not being notified until nearly two years after the breach.  

The FTC’s proposed consent order requires Illuminate to take the following corrective actions:

• delete personal information that is no longer necessary to provide the requested services;
• publish and comply with a data retention schedule that explains the purposes for collecting personal information, the specific business needs for retaining such information, and a timeframe for deleting such information;
• establish and implement a comprehensive information security program for the personal information it collects; and
• notify the FTC if it alerts another federal, state or local government about a data breach involving consumers’ personal information.  

The order also prohibits Illuminate from misrepresenting its data security and privacy practices. 

The next step in the FTC’s process will be the publication of a notice of the proposed consent order in the Federal Register. The proposed order will be open for public comment for 30 days after publication. The FTC will then decide whether to make the order final.