IEI A.I CyberSecurity Scoring
IEI
Company Information
Website:http://www.illuminateed.com
Employees number:81
Number of followers:14,397
NAICS:5112
Industry Type:Software Development
Homepage:illuminateed.com
IEI Risk Score (AI oriented)
Between 0 and 549
IEISoftware Development
Updated:
05/06/2026
05/06/2026
146/1000
Critical
C
IEI Global Score (TPRM)
xxxx
IEISoftware Development
Score locked

IEICritical
Current Score
146C (CRITICAL)
01000
10 incidents
-110.67 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
156
JUNE 2026
256
Breach
05 Jun 2026 • IEI
Illuminate Education: US FTC gives final nod to settlement with Illuminate over student data
FTC Finalizes Order Against Illuminate Education Over Massive Student Data Breach
146
CRITICAL-110
ILL1780698799
FTC Finalizes Order Against Illuminate Education Over Massive Student Data Breach
On June 5, 2026, the U.S. Federal Trade Commission (FTC) announced a modified settlement with Illuminate Education, requiring the company to overhaul its data security practices following a major breach that exposed the personal information of millions of students. The order mandates the implementation of a comprehensive data security program, restricts unnecessary data collection and retention, and compels the deletion of excess consumer data.
The FTC’s action resolves allegations that Illuminate Education’s security failures directly led to the breach, which compromised sensitive student records. The company, which provides educational software and data analytics tools, was found to have inadequate safeguards in place, leaving vast amounts of personal data vulnerable.
The settlement underscores the FTC’s ongoing scrutiny of edtech companies’ data handling practices, particularly in sectors serving minors. The case highlights regulatory expectations for proactive security measures and minimized data retention to mitigate breach risks. No financial penalties were disclosed, but the order imposes long-term compliance obligations on Illuminate Education.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MAY 2026
246
APRIL 2026
245
MARCH 2026
227
FEBRUARY 2026
217
JANUARY 2026
215
DECEMBER 2025
314
Breach
01 Dec 2025 • IEI
Illuminate Education, Inc.: FTC Orders Ed Tech Firm to Secure Data After Student Data Breach
Illuminate Education Data Security Settlement with FTC
194
CRITICAL-120
ILL1764620324
Education technology provider Illuminate Education Inc. will implement a data security program to settle Federal Trade Commission allegations it failed to protect the privacy and data of more than 10 million students.
The proposed order requires the company to delete unnecessary personal information and follow a public data retention schedule. Illuminate must also implement a comprehensive information security program to protect collected personal data. The order stipulates that Illuminate must inform the FTC if it notifies other government entities about data breaches involving consumers’ personal information.
Illuminate didn’t immediately respond to a request for comment. The company neither admitted nor ...
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2025
314
OCTOBER 2025
305
SEPTEMBER 2025
392
Breach
08 Sep 2025 • IEI
Illuminate Education Inc.
Data Breach at Illuminate Education Inc.
290
CRITICAL-102
ILL5403454090925
Illuminate Education Inc. experienced a data breach affecting its educational software solutions, exposing sensitive information of over three million schoolchildren. The compromised data varied but included grades, socio-economic status, and special education details. Notably, Social Security numbers and financial information were not exposed, and there is no evidence that the breached data has been publicly released or misused. The US Court of Appeals for the Ninth Circuit dismissed a proposed class-action lawsuit, ruling that the plaintiffs failed to demonstrate sufficient intangible harms (e.g., emotional distress, identity theft risk) to establish legal standing. While the breach involved highly personal student records, the lack of financial data exposure or confirmed misuse limited its immediate consequences. The incident primarily raised concerns about privacy violations and potential long-term risks, such as targeted phishing or discrimination based on the leaked educational and socio-economic details.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
AUGUST 2025
391
JANUARY 2023
171
Breach
01 Jan 2023 • IEI
PowerSchool and Illuminate: State audit slams NYC schools for lack of student data privacy oversight
New York City Public Schools Face Critical Gaps in Student Data Security, Audit Finds
100
CRITICAL-71
ILLPOW1777933701
New York City Public Schools Face Critical Gaps in Student Data Security, Audit Finds
A five-year audit by New York State Comptroller Thomas DiNapoli has revealed significant vulnerabilities in how New York City Public Schools (NYCPS) manage and protect student data. The report, released on Monday, highlights systemic weaknesses in data security policies, third-party vendor oversight, and compliance with state requirements raising concerns as the district expands its use of AI and educational technology.
The audit, covering 2020 to 2025, found that NYCPS serving nearly 900,000 students lacks a comprehensive inventory of the software and third-party platforms used across its schools. This decentralized approach has led to multiple data breaches, including a 2021–22 incident involving Illuminate, a grading platform that exposed the personal information of 820,000 current and former students. In 2024, hackers accessed student names and birthdates through PowerSchool, a school records program, affecting over 3,000 students and 317 staff. The Education Department only learned of the breach in January 2025, underscoring delays in detection and response.
Between January 2023 and February 2025, auditors identified 141 data security incidents involving breaches of student and staff information, either through third-party vendors or internal systems. The report also found that 218 of 528 surveyed schools used at least 70 different applications beyond the two central systems, reflecting uncoordinated technology adoption. Despite a vendor vetting process, the Education Department lacks visibility into which schools use which platforms and whether they contain sensitive data.
Compliance failures further compound the risks. Nearly 25% of NYCPS employees about 43,000 staff did not complete mandatory annual data privacy training, and the district has no system to prevent untrained personnel from accessing sensitive information. Reporting delays were also prevalent: nearly half of data incidents were reported to the state Education Department past the 10-day deadline, and families were notified late in 11% of cases.
While the audit did not find direct violations of the federal Family Educational Rights and Privacy Act (FERPA), it warned that the identified gaps could lead to noncompliance. NYCPS acknowledged the findings, citing recent improvements such as a new student privacy webpage and a data privacy working group. However, the city disputed claims of a lack of centralized oversight, arguing that schools follow a standardized vendor approval process.
Critics, including education advocates and Panel for Educational Policy members, have called for a moratorium on AI adoption, citing the audit as evidence of insufficient safeguards. The comptroller’s office plans to conduct a follow-up audit in one year to assess progress.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2022
155
Breach
01 Apr 2022 • IEI
Illuminate Education, Inc.
Data Breach at Illuminate Education
100
CRITICAL-55
ILL223619522
A data breach incident at Illuminate Education, a third-party service provider affected many school districts in Coventry, Connecticut, and New York City.
The attacker targeted a Illuminate product, eduCLIMBER which is used by schools to track students’ grades, attendance and behavioral development.
The incident exposed the personal information of around 1,700 students enrolled in Coventry Public School and 820,000 current and former students of New York City Department of Education.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MARCH 2022
173
Cyber Attack
01 Mar 2022 • IEI
Illuminate Education, Inc.
Illuminate Education Data Breach
143
CRITICAL-30
ILL18533522
IT systems of Illuminate Education, an online grading and attendance system were hacked in January that compromised the personal information of hundreds of students.
The information included names, birthdates, ethnicities, home languages and student ID numbers of 820,000 current and former New York City students.
The hackers exfiltrated the class and disrupted the studies, so grading and attendance platform had to be shut down.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2021
337
Breach
01 Dec 2021 • IEI
Illuminate Education, Inc.
Illuminate Education Data Breach (2021) and $5.1M Settlement (2025)
140
CRITICAL-197
ILL2704727110825
In December 2021, Illuminate Education suffered a data breach caused by a hacker exploiting inactive credentials of a former employee. The breach exposed sensitive personal and medical data of millions of students, including names, race, disability status, accommodation details, and coded medical information. The investigation revealed critical security lapses: failure to deactivate former employee credentials, lack of monitoring for suspicious logins, unsecured backup databases, and deceptive claims in the company’s Privacy Policy about compliance with security standards. The breach violated California’s KOPIPA and Connecticut’s Student Data Privacy Law, resulting in a $5.1 million settlement with attorneys general from California, Connecticut, and New York. The settlement mandates stricter security controls, monitoring, backup safeguards, and breach notifications to the DOJ, alongside reminders for school districts to review stored student data. The case underscores the heightened legal obligations for tech companies handling student data and the severe consequences of non-compliance.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2021
489
Breach
16 Jun 2021 • IEI
Illuminate Education Inc.
Data Breach Exposing Personal Information of 1.7 Million New York Students
291
CRITICAL-198
ILL5492254111125
In 2021, Illuminate Education Inc., an educational technology company providing software for tracking student attendance, grades, and mental health data, suffered a data breach exposing the personal information of 1.7 million New York students, along with affected students in Connecticut and California. Hackers exploited the credentials of a former employee to access unencrypted database files, compromising sensitive data such as student names, birth dates, and demographic information. The breach stemmed from the company’s failure to implement basic security measures, including inactive account deactivation, data encryption, access restrictions, and suspicious activity monitoring. New York’s Attorney General secured a $1.7 million settlement (part of a $5.1 million multi-state agreement) mandating stricter cybersecurity protocols, including data encryption, access controls, and anomaly detection systems. The incident underscored vulnerabilities in handling student data, eroding trust among schools, parents, and educators.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JANUARY 2021
580
Breach
01 Jan 2021 • IEI
Illuminate Education, Inc.: FTC requires Illuminate Education to shore up security after 2021 data breach
Illuminate Education Data Breach (2021)
460
CRITICAL-120
ILL1764633287
The Federal Trade Commission on Monday announced that it will require the educational technology firm Illuminate Education to implement a data security program and delete “unnecessary” data.
The requirement is a consequence of the firm’s involvement in a data breach in which the personal data of 10 million students was compromised. According to an FTC complaint, the company failed to deploy “reasonable” cloud security measures.
“Illuminate pledged to secure and protect personal information about children and failed to do so,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in a press release. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”
The incident occurred in 2021, when a “hacker” used the credentials of a former employee who’d left the company more than three years prior. to gain access to the company’s data systems, according to the FTC. Information accessed included email addresses, mailing addresses, dates of birth, student records and health information.
Advertisement
A proposed order outlines the steps the company would be required to take. Those include deleting information not needed to provide services to current users, following a publicly available data retention schedule, establishing an information security program and notifying the FT
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2020
752
Breach
16 Jun 2020 • IEI
Illuminate Education
Illuminate Education Data Breach and $5.1 Million Settlement for Student Data Protection Failures
556
CRITICAL-196
ILL4002440110825
Illuminate Education, an ed-tech software company providing data and assessment tools for schools, suffered a major data breach in December 2021 and January 2022, exposing sensitive information of approximately 1.7 million current and former students across 750 schools in New York alone. The compromised data included student names, birth dates, student ID numbers, and demographic details, along with potential health records. The breach resulted from neglected security measures, including failure to encrypt student data, decommission inactive accounts, limit account permissions, monitor suspicious activity, and delete data post-contract termination. Prior warnings in 2020 about high-risk server practices were ignored. The company faced a $5.1 million settlement with New York, California, and Connecticut, with New York receiving $1.7 million. Regulators mandated stricter security protocols, including encryption, access controls, vulnerability tracking, and annual disclosures of collected data categories. The incident marked Connecticut’s first enforcement under its Student Data Privacy Law, emphasizing heightened accountability for ed-tech firms handling children’s information.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for IEI ??
What was IEI's A.I Rankiteo Cyber Score in June 2026 ??
What was IEI's A.I Rankiteo Cyber Score in May 2026 ??
What was IEI's A.I Rankiteo Cyber Score in April 2026 ??
What was IEI's A.I Rankiteo Cyber Score in March 2026 ??
What was IEI's A.I Rankiteo Cyber Score in February 2026 ??
What was IEI's A.I Rankiteo Cyber Score in January 2026 ??
What was IEI's A.I Rankiteo Cyber Score in December 2025 ??
What was IEI's A.I Rankiteo Cyber Score in November 2025 ??
What was IEI's A.I Rankiteo Cyber Score in October 2025 ??
What was IEI's A.I Rankiteo Cyber Score in September 2025 ??
What was IEI's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on IEI's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with IEI ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view IEI's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?