Court Rules
All enforcement actions
SettlementHigh RiskMultistate

Multistate AGs Secure $5.1M from Illuminate Education for Student Data Breach

Illuminate Education, Inc.November 6, 2025New York Attorney General

Penalty Amount

$5,100,000

Summary

New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.

Remedy

Illuminate must pay $5.1 million in penalties and costs, with New York receiving $1.7 million. The company is required to implement a comprehensive information security program including data encryption, access limitations, network monitoring for suspicious activity, and a vulnerability management program. Illuminate must also provide annual notices to schools identifying collected student data categories and allow schools to request deletion of dated or inactive student records.

Monetary PenaltyCompliance ProgramData Deletion

Contract Impact

In-house legal teams should review all edtech and student data vendor agreements to ensure they include mandatory data encryption requirements, provisions for decommissioning inactive user accounts, and obligations to monitor for suspicious network activity. Contracts should also specify student data retention and deletion timelines, require vendors to maintain comprehensive information security programs, and mandate vulnerability management processes. Additionally, agreements should require vendors to provide annual notices detailing collected student data categories and allow the institution to request deletion of inactive or outdated student records. Teams should also verify that vendors do not misrepresent their data security practices and are compliant with applicable state student data privacy laws.

Contract Search Terms

student data security requirementsdata encryption obligationsinactive user account decommissioningstudent data deletion clausevulnerability management programsuspicious activity monitoringstudent data retention policyedtech vendor compliance

Laws Cited

Connecticut Student Data Privacy LawCalifornia student data privacy lawsNew York student data privacy laws

Violation Types

Entity Details

Entity

Illuminate Education, Inc.

Also known as: Illuminate Education

Industry

Technology

Multistate Coalition

Official Sources

Source Evidence

Entity Name
"educational technology company Illuminate Education, Inc. (Illuminate)"
Fine Amount
"secured $5.1 million from educational technology company Illuminate Education, Inc. (Illuminate)"
Event Date
"November 6, 2025"
Laws Cited
"Connecticut’s Student Data Privacy Law requires strict security to protect children’s information"
Laws Cited
"California law imposes heightened obligations for companies to secure children’s’ information"
Violation Types
"In 2022, Illuminate experienced a data breach that exposed the personal information of millions of students"

Related Enforcement Actions

NY

N/A

New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.

NY

No specific entity cited

New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.

NY

N/A

This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.

NY

Uphold HQ, Inc.

$5.0M

New York Attorney General Letitia James secured a $5 million settlement from cryptocurrency platform Uphold HQ, Inc. for promoting Cred’s fraudulent CredEarn investment product as safe and reliable, when Cred was making risky loans to uncreditworthy borrowers in China. Uphold also falsely claimed Cred had comprehensive insurance and promoted the product without registering as a broker or commodity broker-dealer under New York law. As part of the settlement, Uphold will pay $5 million to harmed investors, remit $545,189 from Cred’s bankruptcy to customers, improve due diligence policies for third-party products, and register as a broker with the OAG.

NY

Purdue Pharma

$7.4B

New York Attorney General Letitia James announced the shutdown of opioid manufacturer Purdue Pharma as part of a $7.4 billion settlement with a bipartisan coalition of 54 other state attorneys general. The Sackler family, former owners of Purdue, are permanently barred from selling opioids in the U.S. and have no involvement in Knoa Pharma, the new public benefit corporation replacing Purdue. Purdue was sentenced on criminal charges related to its role in the opioid crisis on April 28, 2026, with the new entity operating under strict oversight and excess revenue funding opioid abatement efforts.

NY

American Express, Capital One, Citi Group, Mastercard, Visa, PayPal, Stripe, Sezzle, Block (operator of Square, Cash App, and Afterpay)

New York Attorney General Letitia James led a bipartisan coalition of 24 state attorneys general, Puerto Rico, and New York City in sending letters to nine major credit card companies and payment processors urging them to block transactions facilitating illegal vaping product sales. The coalition cites federal and state laws prohibiting unauthorized e-cigarette sales, particularly to youth, and requests collaboration to prevent payment networks from processing such transactions. No enforcement penalties or actions were imposed as part of this initiative.