New York Attorney General Letitia James, along with California Attorney General Rob Bonta and Connecticut Attorney General William Tong, announced a $5.1 million settlement with Illuminate Education, Inc., an educational technology company, for failing to protect student data. Illuminate provides software used by schools across the United States to monitor students’ attendance, grades, and other development metrics.
In 2022, a data breach at Illuminate exposed personal information of millions of students nationwide, including about 1.7 million in New York. The breach allowed hackers to access unencrypted database files containing student names, birth dates, ID numbers, and demographic details from approximately 750 New York schools.
An investigation by the New York Office of the Attorney General (OAG) and the New York State Education Department (NYSED) found that Illuminate did not have basic security measures in place. The company failed to encrypt student data, monitor for suspicious activity on its platforms, deactivate inactive user accounts, limit account permissions appropriately, delete outdated student data after contracts ended with school districts, and fully investigate the breach when it occurred.
Attorney General James stated: “Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure. Illuminate violated that trust and did not take basic steps to protect students’ data. Today’s settlements will ensure that Illuminate protects students’ data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online.”
Connecticut Attorney General Tong commented: “Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information. Illuminate failed to implement basic safeguards and exposed the personal information of millions of students, including thousands here in Connecticut. This action—Connecticut’s first ever under the Student Data Privacy Law—holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
California Attorney General Bonta added: “Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids. Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents’ data. Data security concerns know no borders, and as today’s settlements showcase, neither should state collaboration.”
NYSED Commissioner Rosa said: “Administrators, caregivers, and students should feel confident that the software platforms used in schools uphold the highest standards of data security and privacy. By failing to follow even the most basic security protocols, Illuminate exposed the personal information of millions of students to bad actors—an egregious breach of trust and data protection. I thank the attorneys general—especially Letitia James of New York—for their partnership in this investigation and commend them for their unwavering dedication to safeguarding the personal information of our students and families.”
The settlement requires Illuminate not only to pay $5.1 million—with $1.7 million going specifically to New York—but also mandates several changes aimed at improving its cybersecurity practices:
– Implementing a comprehensive information security program.
– Establishing policies limiting access rights.
– Encrypting all collected or stored student data.
– Monitoring networks for unusual activity.
– Creating a vulnerability management system.
Additionally, Illuminate must notify schools annually about what types of student records it holds so outdated or inactive records can be deleted.
The matter was handled by members from OAG’s Bureau of Internet and Technology under Division for Economic Justice leadership.
