Illuminate Education FTC Action Over 10.1 Million Student Records Breach

• .What: Former employee's dormant credentials used to access systems for 11 days.
• .Who: 10.1 million K-12 students across the United States.
• .Data Exposed: Grades, health records, disabilities, and student IDs.
• .Outcome: FTC consent order and $5.1M multi-state settlement.

On December 28, 2021, an attacker used stolen credentials belonging to a former Illuminate Education employee to access the company's internal systems. The former employee had left Illuminate three and a half years earlier.

Their account had never been decommissioned, deactivated, or flagged for review. No multi-factor authentication was required to authenticate.

The attacker maintained persistent access for eleven consecutive days, from December 28, 2021 through January 8, 2022, accessing databases containing records for 10.1 million K-12 students across the United States.

The compromised data included student names, dates of birth, email addresses, student identification numbers, academic records (grades, test scores, attendance), and - critically - health information including disabilities, medical conditions, and school nurse records.

The New York City Department of Education alone had 820,000 students across 750 schools exposed. California accounted for approximately 3 million affected students.

The data was stored unencrypted in plaintext, meaning the attacker had immediate access to readable records without needing to defeat any additional protective controls.

Illuminate had actively marketed its products with claims of "bank-level security" - a characterization the FTC found to be straightforwardly deceptive given the absence of MFA, plaintext data storage, and abandoned employee accounts with active credentials.

In December 2025, the FTC issued a consent order, and attorneys general in New York, California, and Connecticut secured a combined $5.1 million multi-state settlement.

The case became a landmark enforcement action establishing that edtech companies making false security claims will face regulatory consequences.

Student names, email addresses, dates of birth, student identification numbers. Academic performance data (grades, test scores, attendance). Health information including disabilities, medical conditions, and school nurse records. Special education data.

NYC DOE: 820,000 students across 750 schools. California: approximately 3 million affected students.

Illuminate marketed its products with claims of "bank-level security" that were straightforwardly false. A company lacking MFA, storing data in plaintext, and failing to decommission employee accounts for 3.5 years does not provide "bank-level security."

1. Formal IAM program with mandatory offboarding procedures

2. Quarterly access reviews for dormant accounts

3. Universal MFA for all accounts with student data access

4. Encryption at rest for all sensitive data fields

5. Internal review process for security claims in marketing materials

FTC Proposed Consent Order, NY AG Settlement, California AG Settlement, Connecticut AG SOPPA Enforcement