California Attorney General Secures Multi-Million Settlement Against EdTech Company Illuminate for Student Data Breach

California Attorney General Rob Bonta, together with the Attorneys General of Connecticut and New York, recently announced a $5.1 million settlement with Illuminate Education, Inc., due to the company’s failure to protect student data. In 2021, Illuminate experienced a major data breach that compromised the information of millions of students, including more than 434,000 California students across 49 school districts. The affected data included sensitive data such as student names, race, medical conditions, and special education information.

The investigation found that Illuminate:

• Failed to disable login credentials for former employees.

• Lacked real-time monitoring for suspicious activity.

• Stored active and backup databases within the same network segment.

• Made misleading statements in its privacy policy, claiming compliance with privacy laws and adherence to the Student Privacy Pledge.

The settlement requires Illuminate to pay $3.25 million to California (and $5.1 million total across the three states) and commit to a number of regulatory and compliance requirements. This enforcement underscores California’s growing focus on student data privacy and the responsibility of education technology providers to maintain safe and rigorous cybersecurity practices. For school districts, this is also a reminder of the importance of vendor oversight including vetting third-party service providers, reviewing contract terms, and ensuring compliance with state and federal data privacy laws. Attorney General Bonta’s office has made clear that the state will continue to pursue companies that fail to safeguard student data. 

“California law imposes heightened obligations for companies to secure children’s information.”