On November 6, 2025, the attorneys general of California, Connecticut, and New York announced a $5.1 million settlement with Illuminate Education, Inc., (“Illuminate”) resolving allegations that the company failed to protect student data.

The settlement follows a 2021 data breach that exposed the sensitive personal data of millions of students. The exposed data categories included “sensitive personal and medical information, such as student name, race, disability and accommodation status, and coded medical information.”

Findings

In December 2021, Illuminate’s network was accessed by a hacker using credentials of a former employee who had left the company years earlier. The investigation by the California Department of Justice (“DOJ”) “determined that Illuminate failed to carry out basic security procedures to protect student “information:”

• Former employee credentials left active: Illuminate failed to terminate the login credentials of former employees, resulting in improper access.

• Lack of monitoring: The company did not monitor and alert for suspicious logins.

• Insecure backups: Illuminate did not secure its back up databases separately from its active databases, enabling the compromise of both.

• Deceptive claims: The investigation also determined that Illuminate’s Privacy Policy “made false and misleading statements” such as stating that the company “took steps to prevent unauthorized access and disclosure of information” and that such measures met or exceeded “applicable federal and state law.” The privacy policy also incorrectly advertised that Illuminate was signatory to the Future of Privacy Forum’s Student Privacy Pledge, despite having been dropped from the list of signatories following the breach.

Settlement Terms

In addition to the $5.1 million fine, Illuminate must also: 

• Implement appropriate controls, including terminating the credentials of former employees

• Implement monitoring for suspicious access and activity

• Implement safeguards to protect backup databases

• Inform the DOJ of breaches involving student data

• Provide reminders to school districts to perform a review of student data stored by Illuminate on the school’s behalf, including reminders related to retention and deletion 

Takeaways

This marks the California DOJ’s first enforcement action under the state’s K–12 Pupil Online Personal Information Protection Act (“KOPIPA”) which requires “reasonable security procedures and practices” for operators handling student data. The case also represents the first enforcement action under the Connecticut’s Student Data Privacy Law. Connecticut Attorney General William Tong emphasized that the case should serve as a “strong message” to education technology providers that “they must take privacy obligations seriously.” 

The settlement serves as a reminder that data protection failures in regulated educational contexts can trigger overlapping enforcement under consumer protection, privacy, and cybersecurity statutes. It also highlights the increasing expectations for transparency, accurate representations, and proactive oversight in vendor contracts involving student data. Companies should note the warning from California Attorney General Rob Bonta: “Today’s settlement should send a clear message to tech companies, especially those in the education space [that] California law imposes heightened obligations for companies to secure children’s’ information.”