Attorney General Tong Enters into Settlement in First Action Under Connecticut's Student Data Privacy Law

Press Releases 11/06/2025 Attorney General Tong Enters into Settlement in First Action Under Connecticut's Student Data Privacy Law Illuminate Exposed Personal Information of Millions of Students in New York, California, and Connecticut  (Hartford, CT) - Attorney General William Tong along with California Attorney General Rob Bonta and New York Attorney General Letitia James today announced that they have secured a total of $5.1 million from educational technology company Illuminate Education, Inc. ("Illuminate"), a wholly owned subsidiary of Renaissance Learning, Inc., for failing to protect students' data. Illuminate provides software to schools and school districts across the country to track students' attendance and grades and to monitor students' academic, behavioral, and mental health development. In 2022, Illuminate experienced a data breach that exposed the personal information of millions of students, including 28,610 students in six school districts in Connecticut. An investigation by the Office of the Attorney General found that Illuminate failed to implement basic security measures to protect students' data, including failing to monitor for suspicious activity on their platforms. As a result of today's settlements, Illuminate must take steps to enhance and strengthen its cybersecurity practices as well as pay $5.1 million in total. Today's action is the first such settlement reached under Connecticut's Student Data Privacy Law, which was enacted in 2016 and amended in 2017 and 2018. Among other things, the law requires online educational providers to maintain data security measures that meet or exceed industry standards and that are designed to protect student data from unauthorized access or disclosure. "Technology is everywhere in schools today, and Connecticut's Student Data Privacy Law requires strict security to protect children's information. Illuminate failed to implement basic safeguards, and exposed the personal information of millions of students, including thousands here in Connecticut. This action-Connecticut's first ever under the Student Data Privacy Law-holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously," said Attorney General Tong. "Students, parents, and teachers should be able to trust that their schools' online platforms are safe and secure," said Attorney General James. "Illuminate violated that trust and did not take basic steps to protect students' data. Today's settlements will ensure that Illuminate protects students' data in classrooms across the country. My office will continue to use every tool at our disposal to protect children online." "Illuminate failed to appropriately safeguard the data of school children, resulting in a data breach that compromised the sensitive data of students nationwide, including more than 434,000 California students. Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids," said Attorney General Bonta. "Today's settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children's' information. I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents' data. Data security concerns know no borders, and as today's settlements showcase, neither should state collaboration." In December 2021, hackers were able to access one of Illuminate's online accounts using the credentials of a former employee who had left the company years earlier. The hackers then downloaded unencrypted database files containing the information of 28,610 students in six Connecticut school districts. The student information included student names, birth dates, student ID numbers, and demographic information. The Office of Attorney General determined that Illuminate had failed to employ reasonable data security practices designed to protect students' personal information. As a result of today's settlements, Illuminate must pay $5.1 million, of which Connecticut will receive $150,000 where 28,610 students were impacted; New York will receive $1.7 million where 1.7 million students were impacted; and California will receive $3.25 million where 3 million students were impacted. Illuminate is also required to adopt measures to better protect students' personal information, including: 1. Reviewing and conforming all contracts with Connecticut school districts to comply with the Student Data Privacy Law. 2. Employing specific safeguards, including maintaining data inventories, minimizing data and limiting data retention to its specific purpose; 3. Employing proper access controls and authentication; 4. Performing data security risk assessments and penetration tests; 5. Establishing a right to delete data; 6. Monitoring vendors; 7. Obtaining an information security assessment from the third-party assessor. Assistant Attorneys General John Neumon and Kileigh Nassau, as well as Deputy Associate Attorney General and Privacy Section Chief Michele Lucan, assisted the Attorney General in this matter. For more information on the Student Data Privacy law, please see: Student Data Privacy Click here for Connecticut's filing. Twitter: @AGWilliamTong Facebook: CT Attorney General Media Contact: Elizabeth Benton [email protected] Consumer Inquiries: 860-808-5318 [email protected] Twitter Facebook Email Print