California Attorney General Rob Bonta, along with Connecticut Attorney General William Tong and New York Attorney General Letitia James, announced a $5.1 million settlement with Illuminate Education, Inc., an educational technology company. The settlement follows a 2021 data breach that exposed the personal information of millions of students, including more than three million in California across 49 school districts. More than 434,000 California students had sensitive information stolen during the breach.
According to investigators, the compromised data included names, race, details about special education services or accommodations, and coded medical conditions. The breach occurred when a hacker accessed Illuminate’s network using credentials from a former employee whose access had not been terminated after leaving the company. The attacker then created new credentials for future access and spent several days stealing and deleting student data.
The California Department of Justice found that Illuminate failed to terminate former employees’ login credentials, did not monitor for suspicious activity, and stored backup databases within the same network segment as active databases—making them vulnerable once the main database was compromised. Investigators also determined that Illuminate made false statements in its Privacy Policy regarding its security practices and advertised itself as a signatory of the Future of Privacy Forum’s “Student Privacy Pledge,” but was later removed from the list after the breach.
“Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids,” said Attorney General Rob Bonta. “Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents’ data. Data security concerns know no borders, and as today’s settlements showcase, neither should state collaboration.”
“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information. Illuminate failed to implement basic safeguards, and exposed the personal information of millions of students, including thousands here in Connecticut,” said Attorney General Wiliam Tong. “This action—Connecticut’s first ever under the Student Data Privacy Law—holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
“Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure,” said Attorney General Letitia James. “Illuminate violated that trust and did not take basic steps to protect students’ data. Today’s settlements will ensure that Illuminate protects students’ data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online.”
As part of the settlement terms—subject to court approval—Illuminate will pay $3.25 million in civil penalties to California out of the total $5.1 million paid across all states involved. The company has also agreed to strengthen its data security measures by implementing stricter access controls; conducting audits; monitoring real-time suspicious activity; securing backup databases separately from active ones; notifying authorities about breaches involving student data; and reminding school districts about reviewing stored student information.
This case marks California DOJ’s first enforcement action under KOPIPA (K-12 Pupil Online Personal Information Protection Act), which mandates reasonable security procedures for online services used by K-12 schools.
Attorney General Bonta emphasized ongoing efforts on consumer privacy protection by highlighting recent settlements with other companies over alleged violations involving personal or children’s data.
A copy of the complaint can be found here. A copy of the proposed judgment remains subject to court approval.
