10 Million Student Records, One Login Nobody Deprovisioned
The FTC's fix for an ed-tech breach wasn't more storage. It was a retention schedule someone has to own.
The fastest way to lose ten million records is to keep them long after anyone needed them, behind a login for an employee who left years ago. In December 2025 the FTC turned that exact sequence into an order, and the remedy reads less like cybersecurity than like basic housekeeping written down for the first time.
On 1 December 2025 the FTC announced a settlement with ed-tech vendor Illuminate Education over a breach exposing the personal data of 10.1 million students — names, addresses, dates of birth, records, and health-related information. Per the complaint, in late December 2021 an attacker logged in with the credentials of a former employee who had departed three and a half years earlier, and reached databases on a third-party cloud. The order requires Illuminate to delete personal information it no longer needs and to follow a publicly available retention schedule stating why data is collected and when it gets deleted.
Why it matters: the headline is a breach, but the operative failure is retention nobody owned. A credential outliving its human by three and a half years is not an exotic exploit; it is the natural state of any access list without a deprovisioning owner. The data sat there because keeping it was the default and deleting it required someone to volunteer for an unglamorous chore. The regulator's response was not encryption theater — it was a calendar with a name attached.
What this reveals is that "keep everything, it might be useful later" is not a strategy, it is the absence of one wearing a strategy's clothes. Illuminate's order arrives the same season U.S. states are writing the opposite instinct into statute: Maryland's privacy law, effective 1 October 2025, limits collection to what is "reasonably necessary and proportionate" to the service the consumer actually asked for. Minimization and retention are the same discipline read forwards and backwards — collect only what you can justify, keep it only as long as you can justify, and assign someone to enforce both.
Watch for the schedule to become a real artifact with a named owner and audit dates, not a PDF that exists to be shown and never run. Watch whether "we might train on it someday" gets quietly logged as a retention justification, converting a governance gap into a roadmap item. And watch the broader pattern: regulators are no longer asking only how you guard the hoard — they're asking why it exists, who decided to keep it, and on what date it was supposed to be gone.
Storage is cheap; ownerless storage is a breach with a delay timer. A retention schedule that names no owner and triggers no deletion is just an inventory of your future incident report.
The FTC's December 2025 order followed a breach of 10.1 million students' data accessed via a former employee's credentials that remained active three and a half years after departure.
supports01The order requires Illuminate to delete data it no longer needs and follow a publicly available retention schedule specifying collection purpose and deletion timing.
Maryland's privacy law, effective October 1, 2025, limits collection to what is reasonably necessary and proportionate to the service the consumer requested.
context03
No notes yet. The margin is open.
Sign in to add a note. The margin is moderated — we keep it useful, not cruel.
The EU AI Act's data-governance clause assumes lineage, provenance, and bias records most teams were never resourced to keep.
Business Sense RequiredMinimization is a sentence about purpose. Most firms never finished the sentence.
Process DebtYou can monitor a metric to the second and still not know what it counts.