The FTC approved a modified order against Illuminate Education Inc. over alleged failures to protect student personal data. The agency alleges a hacker accessed information for 10.1 million students, including names and dates of birth.

The Federal Trade Commission (FTC) announced final approval of a modified order aimed at Illuminate Education Inc., alleging the company failed to deploy reasonable security measures to protect student data. According to the FTC, the security breakdown contributed to a major breach in which an unauthorized party obtained personal information for 10.1 million students. The complaint alleges exposed data included sensitive identifiers such as students’ names and dates of birth—details that can be used for identity theft, account takeovers, and downstream fraud. Under the order, Illuminate is required to take specific steps related to data-security practices. The FTC’s action also focuses on tightening how the company collects, limits, and retains personal information, as well as ensuring appropriate handling when data is deleted and when affected individuals are notified. The FTC’s rationale is that the alleged misconduct and inadequate safeguards created foreseeable risk to consumers, particularly because the impacted population includes minors and students. The order is designed to prevent future misrepresentations about security while requiring defined compliance steps around safeguarding and managing personal data.