Dive Brief:

• The Federal Trade Commission announced Monday that it will require Illuminate Education to implement a data security program to settle allegations that the company failed to protect student data, leading to a December 2021 breach that exposed personal information of over 10 million students.
• According to the FTC, although a third-party vendor hired by Illuminate to conduct cybersecurity assessments alerted the ed tech company to multiple security vulnerabilities over a year before the data breach, the company didn’t properly address those issues.
• An FTC spokesperson said on Tuesday that the proposed order and complaint against Illuminate would be published in the Federal Register later this week. Publication of this "consent agreement package" will open a 30-day public comment period before it is finalized.

Dive Insight:

Data exposed by Illuminate’s 2021 breach included students’ email and mailing addresses, dates of birth, school records and health-related information, according to the FTC's complaint. The commission added that some of the issues flagged to Illuminate in its third-party cybersecurity assessments included a lack of controls for who had access to students' information and a failure to encrypt student data.

Moreover, the FTC said Illuminate didn’t notify some affected districts — representing a collective 380,000 students — for almost two years after the incident, the commission alleged. 

The breach impacted some of the nation’s largest school systems, including New York City Public Schools and Los Angeles Unified School District.

Under the FTC’s proposed order, Illuminate would have to:

• Stop misrepresenting its data security and privacy practices, including how quickly it will inform districts and students about relevant data breaches.
• Delete personal information that the company no longer uses to provide required services.
• Create and carry out a comprehensive information security program that protects the security, availability and confidentiality of any collected personal data.
• Notify the FTC if the company alerts another federal, state or local government about a data breach affecting users’ personal information. 

“Illuminate pledged to secure and protect personal information about children and failed to do so,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, in a Monday statement. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”

In 2022, Illuminate was acquired by another ed tech company, Renaissance. 

In a statement emailed to K-12 Dive on Monday, an Illuminate spokesperson said Renaissance had incorporated Illuminate’s products “into its cybersecurity and data protections program, which includes robust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators, and families.”

The Illuminate data breach is not the most recent high-powered breach to affect the K-12 sector. 

In January 2025, PowerSchool informed districts that it had fallen victim to a widespread breach that eventually impacted more than 60 million students and 10 million teachers. The hacker responsible for the incident — a 19-year-old college student — was recently sentenced to four years in prison and nearly $14.1 million in restitution.

Some state leaders have begun investigating PowerSchool due to that breach. 

In September, for example, Texas filed a lawsuit against PowerSchool for allegedly failing to protect sensitive student and teacher data. According to Texas Attorney General Ken Paxton, the breach exposed the personal identifying and health information of more than 880,000 children and teachers in the state.