On December 1, 2025, the Federal Trade Commission (FTC) approved a proposed complaint and order against Illuminate Education, Inc., an education technology provider requiring it to “to implement a data security program and delete unnecessary data to settle allegations that the company’s data security failures led to a major data breach, which allowed hackers to access the personal data of more than 10 million students.”

The FTC alleges that Illuminate “failed to deploy reasonable security measures to protect student data stored in cloud-based databases. These failures led to a major data breach.” According to the complaint, in late December 2021, a hacker used the credentials of a former employee to access Illuminate’s databases stored in the cloud.  The threat actor accessed information including students’ email addresses, mailing addresses, dates of birth, student records, and health information.

The FTC further alleges that Illuminate failed to notify school districts in a timely manner, as “it waited nearly two years to notify some school districts, comprising more than 380,000 students, about the data breach.”

The FTC’s proposed order includes:

• Deleting personal information no longer needed to provide requested services;
• Following a publicly available data retention schedule that details why information is collected and establishes a timeframe for its deletion;
• Establishing and implementing a comprehensive information security program that protects the security, availability, confidentiality, and integrity of personal information it collects; and
• Notifying the FTC if it has alerted another federal, state, or local government about a data breach involving consumers’ personal information.

There was no monetary settlement included in the proposed order. The FTC voted 2-0 to accept the proposed complaint and order for public comment.