As part of the FTC’s final order, Illuminate Education must improve safeguards, limit retention/collection of personal data, and follow required deletion and notification steps. The FTC alleges the breach affected 10.1 million students.

Alongside its approval of a settlement-based enforcement action, the FTC emphasized that the relief imposed on Illuminate Education Inc. is meant to address both security controls and data lifecycle failures. The FTC alleges that Illuminate did not take reasonable measures to secure students’ personal information, enabling a hacker to access records tied to 10.1 million students. The FTC highlights that such identifiers—including names and dates of birth—can enable fraudsters to open accounts, pass identity verification checks, or create synthetic identities. The final order requires Illuminate to implement improvements intended to reduce the risk of further unauthorized access. It also requires the company to change how it collects and retains personal information, limiting retention of sensitive data and ensuring that collection practices align with what is necessary for legitimate operations. In addition, the FTC’s order includes obligations relating to deletion and notification. The FTC’s framing points to a common enforcement theme: when organizations fail to secure highly sensitive data, they may not only face breaches but also face restrictions on what they are allowed to do with personal information afterward. For consumers, the practical takeaway is that education-related data exposures can create long-tail identity theft risk, especially because breaches involving birthdates and names can be used repeatedly across many fraud attempts.