FTC orders Illuminate Education to bolster data security after breach impacting 10M students

Staff Editor 2026-06-08
FTC orders Illuminate Education to bolster data security after breach impacting 10M students

FTC orders Illuminate Education to bolster data security after breach impacting 10M students

https://statescoop.com/ftc-orders-illuminate-education-to-bolster-data-security-after-breach-impacting-10m-students/

Publish Date: 2026-06-08 14:17:00

Source Domain: statescoop.com

The Federal Trade Commission finalized an order Friday against K-12 software vendor Illuminate Education, directing the company to improve its data security measures and barring it from misrepresenting its data privacy practices or breach notification times after a breach in 2021 impacted the data of more than 10 million current and former students.

The final order, which the FTC said was modified following a period of public comment, comes after the federal agency found that Illuminate, which provides student grading and attendance software, allegedly failed to implement reasonable security controls. These failures, the FTC alleged, were contributing factors in a December 2021 cyberattack on the company, which exposed the personal data of about 10.1 million current and former students across dozens of school districts in several states, including New York City’s large public school system.

In the attack, a hacker allegedly used credentials of a former employee to access the data, which included students’ email and mailing addresses, dates of birth, student records, and health-related information. The FTC also alleged that Illuminate ignored security warnings dating back to 2020, such as those from a third-party vendor about security vulnerabilities on its network. Illuminate’s security woes included failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, vulnerability monitoring, and patch management practices.

Additionally, the FTC claimed the company did not inform some school districts of the breach in a timely manner, with some not notified until two years after the breach.

Instead of a monetary settlement, the agency has directed the company to show that it’s making improvements to its data practices. The order directs the company to establish a comprehensive data security program and to limit the collection and retention of certain consumer…

Source

More Stories

Warner Bill Would Restore Funding for MS-ISAC Cyber Program – MeriTalk

Warner Bill Would Restore Funding for MS-ISAC Cyber Program – MeriTalk

Staff Editor 2026-06-08
The Next AI Boom Could Be Driven by Cybersecurity

The Next AI Boom Could Be Driven by Cybersecurity

Staff Editor 2026-06-08
Carroll County commissioners update annex emergency plans, add cybersecurity procedures

Carroll County commissioners update annex emergency plans, add cybersecurity procedures

Staff Editor 2026-06-08

Terms and Conditions - Privacy Policy