According to the FTC, the order requires Illuminate to implement a data security program, limit collection and retention of consumer data, and delete unnecessary data. While the June 5 action closes a high-profile student data breach case, it also signals what federal regulators increasingly expect from ed-tech vendors: collect less student data, retain it for shorter periods, disclose breaches promptly and back up cybersecurity claims with documented security practices.
The case centers on a breach disclosed in 2022 involving Illuminate, a Wisconsin-based company that makes software for student assessment and analytics, and which reached a settlement in 2025. In a news release last week, the FTC said Illuminate claimed to protect the privacy and security of student data but failed to use reasonable security measures for information stored in cloud databases.
“According to the FTC’s complaint, these failures led to a major data breach, which allowed a hacker to access personal data of 10.1 million students, including their email and mailing addresses, dates of birth, student records and health-related information,” the news release said.
The FTC also said Illuminate had advance warning about risks. According to the news release, almost two years before the breach, a third-party vendor alerted the company about numerous security vulnerabilities on its network but failed to take steps to adequately address the problems. The FTC also alleged the company failed to notify schools about the breach in a timely manner, as it had promised.
The final order applies to Illuminate and its covered products, which the order identifies as including eSchoolData, eduCLIMBER, DnA, FastBridge and SchoolCity, along with their versions, revisions and successor products. Under the order, Illuminate is prohibited from misrepresenting its privacy and data security practices.
The order also requires Illuminate to delete or destroy covered information within 90 days if retaining it is not reasonably necessary to provide products or services under customer contracts and is not requested by customers. It further bars the company from collecting, processing or maintaining information that is not reasonably necessary to provide contracted products or services, except when requested by customers or otherwise required by law or public entities.
The order’s security requirements are detailed. It says Illuminate must, within 90 days, “establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity” of covered information.
Illuminate must also obtain initial and biennial assessments from an independent third-party professional for 10 years after issuance of the order. The order requires annual certifications to the FTC and says that, within 14 days of notifying any federal, state or local government entity about a covered incident, Illuminate must submit a report to the commission.
While FTC actions specifically tied to data breaches in the ed-tech sector are not common, Illuminate is not the first ed-tech company to face a federal order after a security incident. In 2023, the FTC ordered the digital tutoring company Chegg to limit its data retention and implement stronger security and access controls, and in 2025 required it to pay a $7.5 million settlement. In 2024, the FTC ordered the cloud payment company Blackbaud, whose clients include schools, to delete unnecessary data and make security improvements.
