The Federal Trade Commission finalized an order against classroom software provider Illuminate Education after a massive data breach. The ruling forces the company to overhaul its security practices and permanently stops it from misleading school districts about its cybersecurity.
What Happened
In December 2021, a cyberattack on Illuminate Education compromised the personal information of about 10.1 million current and former students across dozens of school districts, including New York City. The stolen data included student email addresses, home addresses, birth dates, academic records, and health information.
According to the FTC news release, a hacker gained access to Illuminate's network by using the credentials of a former employee. The agency alleged that Illuminate ignored warnings about security vulnerabilities starting in 2020. The company failed to implement basic safety measures like access controls and system updates.
Illuminate also delayed notifying schools. Some districts did not find out about the breach until two years after the incident, according to StateScoop.
The FTC's finalized order does not include a financial penalty. Instead, it requires Illuminate to build a comprehensive security program and practice "data minimization." This means the company can only collect and keep student data needed to run its software. Illuminate must delete unnecessary files and publish a clear data retention schedule.
The Bigger Picture
Illuminate's two-year delay violates standard legal practices. Most state laws require companies to inform victims within 30 to 60 days of discovering a breach, according to regulatory breach requirements.
Federal regulators are tightening rules on children's data. The FTC's updated COPPA regulations limit the data education technology platforms can gather. Even with parental consent, companies cannot harvest unnecessary details like precise locations, according to Promise Legal's COPPA overview.
State courts are also making it easier to hold companies accountable. The California Supreme Court recently ruled that victims of data breaches do not need to prove their stolen information was actually viewed to seek damages under state medical privacy laws. Simply exposing private files to risk is enough to establish liability.
What This Means for Families
Parents expect school software to keep their children’s information safe. But many school districts sign contracts without vetting actual security systems, as we previously reported. A similar breach at the Oxford Career Portal shows the exposure children face when schools rely on external technology platforms.
Compromised data puts children at risk for identity theft. Hackers target student databases because minors have clean credit histories that go unmonitored. When a vendor hides a breach for years, parents cannot take steps to protect their children's financial identities.
What You Can Do
You can take several immediate steps to protect your child's identity. First, freeze your child's credit by contacting the three major credit bureaus: Equifax, Experian, and TransUnion. This stops identity thieves from opening bank accounts or credit cards in your child’s name.
Next, ask your school administration for its data policies. Request a list of all EdTech vendors, what student information they collect, and how they follow the U.S. Department of Education's student data privacy guidelines.
Finally, contact your local school board to demand transparency. Ask them to pass policies requiring swift, 30-day notifications for all software breaches, regardless of the minimums required by state law.