TL;DR: Illuminate Education, an edtech company used by 5,200 schools and serving 17 million students, got hacked in December 2021 because a former employee's login credentials still worked, three and a half years after they left. The breach exposed personal data on 10.1 million students, including dates of birth, addresses, student records, and health information. The company had promised schools it encrypted student data. It didn't. Records sat in plaintext. Some districts weren't told about the breach for nearly two years. In December 2025, the FTC finalized its settlement. The penalty? No money. Just a promise to actually secure the data this time. States extracted $5.1 million separately.
What Happened
In late December 2021, a hacker used the credentials of a former Illuminate Education employee (someone who'd left the company three and a half years earlier) to break into cloud databases holding student records [1]. No sophisticated exploit. No zero-day. Just a login that should have been killed in 2018.
The attacker accessed records for 10.1 million students across thousands of American schools.
What was exposed:
- Student names and email addresses
- Mailing addresses
- Dates of birth
- Student records and academic information
- Health-related information
- Gender, ethnicity, home language, special education status
- Socioeconomic status data
That last one bears repeating. Schools handed Illuminate data about children's economic circumstances, health conditions, and special education needs. Illuminate left it all sitting in plaintext on a cloud server accessible with a dead employee's password.
The Encryption Lie
Here's what makes this breach particularly egregious.
Illuminate's contracts with school districts explicitly stated that student data would be encrypted [2]. Their website boasted about safeguarding data "like it's our own" using "security measures, physical, electronic, and procedural." The New York City Department of Education signed on because Illuminate committed, in writing, to encrypt student information.
None of that was true. Student data was stored in plaintext until at least January 2022, after the breach had already happened [1].
The FTC's complaint is blunt: Illuminate made "false or misleading representations" about its data security practices. They sold schools on encryption they never implemented. Every contract promising encryption was a lie.
They Knew, and Did Nothing
It gets worse. In January 2020 (nearly two years before the breach) a third-party vendor told Illuminate about "numerous security vulnerabilities" across its network [1]. The FTC found that Illuminate "failed to take steps to adequately correct these problems."
The full list of security failures the FTC documented:
- No reasonable access controls: a former employee's credentials worked 3.5 years later
- No threat detection: nobody noticed the intrusion
- No vulnerability monitoring: they were warned and ignored it
- No patch management: known flaws went unpatched
- Plaintext storage: data they claimed was encrypted wasn't
This wasn't a company that tried its best and got unlucky. This was a company that made promises it never intended to keep, ignored direct warnings, and let a three-year-old credential provide full database access to anyone who had it.
Two Years to Tell the Schools
Illuminate detected the breach in early 2022. It publicly disclosed it on March 25, 2022 [3]. But the FTC found that some school districts (representing more than 380,000 students) weren't notified for nearly two years [1].
Think about what that means. Parents had no idea their children's health information, special education status, and home addresses had been stolen. Teachers and administrators were still using a platform they believed was secure. Kids whose data was in the hands of criminals had no protection in place.
And the scale in New York alone was staggering. The New York State Education Department found 565 schools and over 1 million current and former students were affected [3]. In New York City, approximately 820,000 students, one of the largest single-district data breaches in U.S. history [4]. NYC subsequently dropped Illuminate entirely.
The FTC's Response: No Fine
On December 1, 2025, the FTC voted 2-0 to accept a consent order against Illuminate Education [1]. The terms:
- Stop making false claims about data security
- Delete student data no longer needed for service delivery
- Publish a data retention schedule
- Implement a "comprehensive information security program"
- Notify the FTC when alerting government agencies about future breaches
The monetary penalty: $0.
A company that lied about encryption, ignored security warnings, exposed 10.1 million children's records, and waited up to two years to notify victims, and the federal government's response is "please do better."
The states did slightly more. New York Attorney General Letitia James, along with California and Connecticut, extracted $5.1 million from Illuminate in November 2025 [5]. New York got $1.7 million, California took $3.25 million, and Connecticut received $150,000. That's roughly 50 cents per affected student.
Edtech's Student Data Problem
Illuminate isn't an isolated case. It's a symptom.
American schools hand enormous amounts of sensitive data to third-party edtech vendors. Illuminate alone reached 17 million students across 5,200 schools and districts. These companies collect everything: grades, attendance, behavioral records, health conditions, family income, disability status, immigration background.
After the breach, Illuminate was removed from the Student Privacy Pledge (an industry self-regulation pact) because they'd violated its terms [6]. The breach also hit the three largest school districts in America: New York City, Los Angeles, and Chicago all had students affected by Illuminate or similar vendor breaches in the same period.
Self-regulation clearly isn't working. Illuminate was a pledge signatory when it stored data in plaintext. The pledge didn't prevent the breach, didn't detect it, and didn't force timely notification.
What You Can Do
If Your Child Was Affected
- Check with your school district: ask if they used Illuminate Education between 2018-2022
- Place a credit freeze on your child's identity through all three credit bureaus (it's free)
- Monitor for identity theft: stolen children's identities can go unnoticed for years
- Be suspicious of any communications claiming to be from your school district
- New York parents: check NYSED's breach notice page for affected schools
If You're a Parent or Teacher
- Ask your school district what edtech vendors they use and what data they share
- Push for data minimization: schools shouldn't share data vendors don't absolutely need
- Demand to see vendor security certifications and independent audit results
- Support state-level student privacy legislation: federal enforcement is clearly inadequate
- Check if your state has a student data privacy law at Student Privacy Compass
The Bottom Line
Illuminate Education lied about encrypting student data. They left a former employee's credentials active for three and a half years. When a third party warned them about security holes, they ignored it. When the inevitable breach hit 10.1 million students, they waited up to two years to tell some school districts.
The federal government's response? No fine. Just a promise to try harder next time.
If you're a parent wondering whether your child's school is handing their data to a company with the same security posture as Illuminate, the answer is: probably. And the FTC just showed every edtech company in America exactly what happens if they get caught. Nothing meaningful.
References
- The Record: Edtech company settles with FTC in wake of data breach (December 2025)
- National Law Review: FTC Settles With Illuminate for Data Breach of 10M Students' Data (December 2025)
- THE Journal: 565 Schools, Over 1M Students in NY Impacted by Illuminate Data Breach (May 2022)
- K-12 Dive: Data breach exposes 820K New York City students' information (2022)
- NY Attorney General: $5.1 Million Settlement with Illuminate Education (November 2025)
- EdWeek Market Brief: Illuminate Removed From Ed-Tech Privacy Pact (August 2022)