A former employee's login credentials still worked three and a half years after they left the company. No MFA. No encryption. Eleven days of access. 10.1 million K-12 student records.
KEY FACTS
- WhatFormer employee's dormant credentials used to access systems for 11 days.
- Who10.1 million K-12 students across the United States.
- Data ExposedGrades, health records, disabilities, and student IDs.
- OutcomeFTC consent order and $5.1M multi-state settlement.
WHAT HAPPENED
On December 28, 2021, an attacker used stolen credentials belonging to a former Illuminate Education employee to access the company's internal systems. The former employee had left Illuminate three and a half years earlier. Their account had never been decommissioned, deactivated, or flagged for review. No multi-factor authentication was required to authenticate. The attacker maintained persistent access for eleven consecutive days, from December 28, 2021 through January 8, 2022, accessing databases containing records for 10.1 million K-12 students across the United States.
The compromised data included student names, dates of birth, email addresses, student identification numbers, academic records (grades, test scores, attendance), and - critically - health information including disabilities, medical conditions, and school nurse records. The New York City Department of Education alone had 820,000 students across 750 schools exposed. California accounted for approximately 3 million affected students.
The data was stored unencrypted in plaintext, meaning the attacker had immediate access to readable records without needing to defeat any additional protective controls.
Illuminate had actively marketed its products with claims of "bank-level security" - a characterization the FTC found to be straightforwardly deceptive given the absence of MFA, plaintext data storage, and abandoned employee accounts with active credentials. In December 2025, the FTC issued a consent order, and attorneys general in New York, California, and Connecticut secured a combined $5.1 million multi-state settlement. The case became a landmark enforcement action establishing that edtech companies making false security claims will face regulatory consequences.
WHAT WAS EXPOSED
Student names, email addresses, dates of birth, student identification numbers. Academic performance data (grades, test scores, attendance). Health information including disabilities, medical conditions, and school nurse records. Special education data. NYC DOE: 820,000 students across 750 schools. California: approximately 3 million affected students.
DECEPTIVE SECURITY MARKETING
Illuminate marketed its products with claims of "bank-level security" that were straightforwardly false. A company lacking MFA, storing data in plaintext, and failing to decommission employee accounts for 3.5 years does not provide "bank-level security."
ZERO|TOLERANCE Advisory
Formal IAM program with mandatory offboarding procedures
Quarterly access reviews for dormant accounts
Universal MFA for all accounts with student data access
Encryption at rest for all sensitive data fields
Internal review process for security claims in marketing materials
SOURCES
FTC Proposed Consent Order, NY AG Settlement, California AG Settlement, Connecticut AG SOPPA Enforcement