The Federal Trade Commission ordered education technology provider Illuminate Education to implement a comprehensive data security program and delete unnecessary student information to settle allegations that the company's security failures led to a breach affecting more than 10 million students.

In a complaint filed Tuesday, the FTC alleged that Wisconsin-based Illuminate claimed to protect student privacy and security but failed to deploy reasonable measures to safeguard personal data stored in cloud-based databases. The security lapses resulted in a December 2021 breach that exposed sensitive information of 10.1 million students.

"Illuminate pledged to secure and protect personal information about children and failed to do so," said Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection. "Today's action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children's medical diagnoses and other personal data."

The breach occurred when a hacker gained access to Illuminate's cloud-stored databases using credentials belonging to a former employee who had departed the company three and a half years earlier. The attack compromised personal data including students' email and mailing addresses, dates of birth, academic records, and health-related information.

Illuminate, which sells cloud-based technology products to schools and school districts nationwide, had marketed itself as a secure platform for student data. On its website, the company claimed it protects "your data like it's our own" and takes "security measures—physical, electronic, and procedural—to help defend against the unauthorized access and disclosure of your information."

In contracts with school systems, Illuminate represented that it implemented practices and procedures designed to meet or exceed private industry best practices. The company pledged to take specific steps to protect and secure student data, including encryption of sensitive information.

However, the FTC's investigation revealed significant security vulnerabilities that Illuminate failed to address. As early as January 2020, a third-party vendor alerted Illuminate to numerous security problems on its network, but the company allegedly failed to take adequate corrective measures.

The FTC complaint details several alleged security failures, including the company's inability to implement reasonable access controls to safeguard students' personal information. The breach highlighted fundamental weaknesses in how the company managed former employee access credentials and monitored its cloud-based systems.

The settlement requires Illuminate to establish and maintain a comprehensive information security program designed to protect personal information from unauthorized access. The company must conduct regular security assessments and implement measures to address identified vulnerabilities.

Additionally, Illuminate must delete personal information that is no longer necessary for providing its services to school customers. This requirement addresses concerns about data minimization and the retention of unnecessary personal information that could be vulnerable to future breaches.

The case represents part of the FTC's broader effort to hold companies accountable for protecting children's personal information online. The agency has increased enforcement actions against education technology companies that fail to implement adequate security measures for student data.

For schools and parents, the breach underscores the importance of understanding how education technology vendors handle student information. School districts often contract with multiple technology providers that collect and store various types of student data, from academic performance to health records.

The settlement also highlights the need for robust vendor management practices in educational institutions. Schools must evaluate not only the educational value of technology products but also the security practices of companies that will have access to student information.

Education technology companies handle increasingly sensitive data as digital learning tools become more sophisticated. Beyond basic academic records, these platforms often collect behavioral data, assessment results, and personal information that could be used to identify individual students.

The FTC's action sends a clear message to the education technology sector about the agency's expectations for data security. Companies that promise to protect student information must implement meaningful security measures, not just marketing claims about data protection.

Moving forward, education technology providers will need to demonstrate concrete security practices, including proper access controls, regular security assessments, and prompt responses to identified vulnerabilities. The cost of inadequate security extends beyond regulatory penalties to include damage to company reputation and loss of customer trust.

The settlement reflects growing regulatory attention to student privacy protection as education technology use expands across K-12 schools. With millions of students using digital learning platforms daily, ensuring robust data security has become a critical consumer protection issue that affects families nationwide.