Overview
- Regulators say a late-2021 intrusion used credentials from a long-departed employee to access cloud-hosted databases and exfiltrate data on roughly 10.1 million students, including health-related details.
- The FTC alleges Illuminate stored student records in plain text until January 2022, lacked basic access controls and monitoring, and ignored third-party warnings about serious vulnerabilities dating back to January 2020.
- Under the proposed order, the company must delete unnecessary student information, publish and follow a data-retention schedule, implement a comprehensive information-security program, and cease misrepresenting its practices.
- The complaint also faults the company for delayed notifications, saying some districts—and about 380,000 students—were left uninformed for nearly two years.
- While the FTC action imposes structural remedies, violations of a finalized order could trigger civil penalties, and separate state cases in California, Connecticut, and New York recently settled for $5.1 million.