United States of America: Federal Trade Commission published complaint against Illuminate Education over failure to secure students' personal data

On 1 December 2025, the Federal Trade Commission (FTC) published a complaint against educational technology provider Illuminate Education. The FTC alleged that Illuminate Education failed to take appropriate cybersecurity measures, leading to a cybersecurity incident in which the personal data of 10.1 million students was compromised. The FTC complaint claims that Illuminate Education did not implement reasonable access controls, effective threat detection and response, and vulnerability monitoring, as well as failing to notify school districts. The FTC published a proposed consent order, which would prohibit Illuminate Education from making misrepresentations about its data security practices, mandate the deletion of a range of data, and require the implementation of a comprehensive information security programme. The consent order will be subject to a comment period on publication in the Federal Register, after which the FTC will decide whether to make the order final.