The Federal Trade Commission has finalized an order against classroom software provider Illuminate Education, holding the company accountable for a data breach that exposed the private information of millions of students. This decision shows the growing legal pressure on educational technology vendors to protect student privacy. It also reveals a gap in federal laws that leaves local school districts holding the bag when private data leaks.
What Happened
The regulatory action stems from a December 2021 cyberattack where a hacker used old credentials from a former employee to access the sensitive files of 10.1 million current and former students. According to the Federal Trade Commission, the compromised files contained student email addresses, dates of birth, academic records, and health information.
Federal investigators found that the company ignored internal security warnings starting in 2020. The software provider also failed to notify some school districts about the hack in a timely manner, with some notifications delayed by up to two years. Under the finalized consent agreement, the company is prohibited from making misleading claims about its privacy practices and must delete any student data that is not actively needed to run its services.
The Bigger Picture
This case shows a frustrating reality for parents and school administrators: federal student privacy laws have not kept pace with classroom technology. As we previously reported, regulators are increasingly using consumer protection authority to police school software vendors because traditional education laws fall short.
Indeed, the primary federal law governing student records, the Family Educational Rights and Privacy Act (FERPA), does not directly apply to third-party vendors. Instead, the legal responsibility under FERPA rests entirely on the school districts themselves. If a private vendor loses student files or fails to secure its systems, the school is technically the entity in violation of federal law.
Because of this federal gap, state lawmakers have passed their own regulations. Laws like California's SOPIPA and Illinois' SOPPA restrict how vendors handle student data. Newer state privacy laws that took effect in early 2026 in Indiana, Kentucky, and Rhode Island have pushed school districts to demand strict contractual clauses. Many school districts now require vendors to agree to automated 72-hour breach notification workflows in their contracts.
While the FTC did not issue a financial penalty in this case, state regulators are increasingly using fines to protect student details. For example, the New York Attorney General recently secured a $750,000 penalty against the College Board for unlawfully selling and sharing student data. In May 2026, a breach of the Canvas learning management platform by the hacker group ShinyHunters disrupted exams at major universities and exposed millions of student IDs. This incident shows that student records remain a top target for cybercriminals.
What This Means for Families
Modern classroom portals do more than store digital homework. They track grades, record behavior, log private teacher-student chats, and store health data. When a vendor fails to secure its systems, this sensitive information can end up on the dark web. This puts children at risk of identity theft and targeted phishing attacks.
Since federal law does not directly police these companies, families cannot rely on federal agencies alone to keep student data safe. School districts must vet their vendors and negotiate strict contracts. They also need to verify that outdated student records are actually destroyed.
What You Can Do
You can take several steps to protect your child's information:
- Ask your school principal how long the district's software vendors keep your child's records, and demand that they enforce policies to delete student data when the student graduates or leaves the district.
- Request copies of your district's Data Processing Agreements to ensure they require an automated 72-hour breach notification workflow from all software vendors.
- Encourage your local school board to audit all current software platforms for compliance with local regulations, such as New York's Education Law 2-d or California's SOPIPA.