FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.