Illuminate Education Data Breach Class Action Investigation

▸ Massive Illuminate Education Data Breach

The number of school districts affected by the Illuminate Education Data Breach continues to expand – most recently adding Ventura Unified School District pupils to the list of affected students. Illuminate Education (“Illuminate”), based in Irvine, California, offers a popular suite of applications that provide student management services, screening, and progress monitoring to school districts across the country.

According to the company and affected school districts, on January 8, 2022, Illuminate became aware of “suspicious activity” within some Illuminate applications. After investigation, Illuminate determined that “certain databases containing potentially protected student information were subject to unauthorized access between December 28, 2021 and January 8, 2022.” The affected databases may have contained protected data related to current and/or former students.

What Personal Information Did the Breached Databases Contain?

  • Student name
  • Academic information
  • Behavior information
  • Enrollment information
  • Accommodation information
  • Special education information
  • Student demographic information

What California School Districts Have Reported Breached Student Data?

  • Los Angeles Unified School District (LAUSD)
  • Ventura Unified School District (VUSD)
  • Riverside County School District(s)
  • Ceres Unified School District
  • Rocklin Unified School District

Illuminate Education’s data breach has impacted students in other school districts as well, including students in ColoradoConnecticut, and over 800,000 current and former New York City students.

Illuminate Education is offering the minor students 12 months of complimentary identity monitoring services through IDX.

Sample copies of the Illuminate California Data Breach Notices are available here for LAUSD, Ventura Unified School District, Riverside County, Ceres Unified, and Rocklin Unified.

Personal data about students represents a particularly attractive target for cyber thieves because minors do not use credit cards, file taxes, or have other contact with their credit on a regular basis. Thieves take advantage of this lapse in oversight to use the stolen credentials of minors to create false identities and rack up fraudulent charges. If you are the parent of a minor affected by these data breaches, it is vital that you take steps, like credit freezes, to prevent long-term repercussions to your child’s credit from this data breach.

Special California Privacy Laws Protect Your Information

If your student is or was a California resident and received a Recent Notice of Data Breach from Illuminate Education, you may be entitled to between $100 and $1,000 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

California has laws that specifically protect your personal information.

  • The Student Online Personal Information Protection Act (SOPIPA)requires that every online service used primarily for K-12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.
  • The California Confidentiality of Medical Information Act (CMIA)requires that every health care provider and health care service plan who maintains medical information do so in a manner that preserves its confidentiality.
  • The California Customer Records Act requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.
  • The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents.

If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA, CCPA, and CCRA.  Medical information is additionally covered by the CMIA.

Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021. Medical records are even more valuable, as they potentially provide access to expensive health care along with other forms of identity theft. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Personal data about minor students, which may include special education information and other highly sensitive materials, should be robustly protected by school districts and the educational technology companies they use. As noted by the California Attorney General’s Office,

“The data on students collected and maintained by Ed Tech can be very sensitive, including medical histories, social and emotional assessments, child welfare or juvenile justice system involvement, progress reports, and test results.” [1]

The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”[2]


[1] Source: Kamala Harris, former Attorney General of California, California DOJ, Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (2016).

[2] Source: same.