The Federal Trade Commission is taking aggressive steps to hold educational technology companies accountable for failing to protect student data. Following massive breaches that exposed millions of children's records, federal regulators are shifting the burden of data security from overworked school districts back to private vendors. This enforcement signals a major change in how classroom software must handle student privacy going forward.
What Happened
In June 2026, the Federal Trade Commission (FTC) issued a finalized order against Illuminate Education Inc., settling allegations that the company failed to implement reasonable security measures. As we previously reported, the company suffered a major data breach between late 2021 and early 2022. This incident allowed hackers to access the personal information of 10.1 million students, according to a report by GovTech. The stolen files contained sensitive information, including student names, academic records, demographic data, and health information.
The FTC's complaint revealed that Illuminate had been warned about security vulnerabilities by a third-party vendor two years prior to the breach, yet the company failed to act. Under the newly approved order, Illuminate is legally required to establish a comprehensive data security program. The company must also limit how long it retains student data and immediately delete unnecessary student profiles.
The Bigger Picture
This regulatory action comes as schools have become a primary target for cybercriminals. Educational databases are now the highest-exposure third-party risk on the internet. In 2025 alone, there were 251 confirmed ransomware attacks on global education institutions, with the United States bearing the brunt of the damage with 130 of those incidents.
The scale of these breaches has escalated rapidly. For instance, a December 2024 breach of the student information system PowerSchool exposed 62 million students and nearly 10 million educators. In April 2026, the threat group ShinyHunters targeted the widely used learning management system Canvas, compromising an estimated 275 million users globally and exfiltrating over 3.6 terabytes of data.
These attacks are rarely due to highly sophisticated technical exploits. According to cybersecurity analysis, hackers target human behavior, such as weak passwords or phishing, 45% more often than software vulnerabilities. The PowerSchool breach occurred simply because a customer-support portal lacked multi-factor authentication, allowing hackers to log in with a single compromised password.
Historically, holding edtech companies accountable has been difficult due to legal loopholes. The primary student privacy law, the Family Educational Rights and Privacy Act (FERPA), is a school law, not a vendor law. This means the federal government can penalize school districts for privacy failures, but has had limited authority over the private companies schools contract with. By utilizing its consumer protection powers, the FTC is bypassing this limitation to penalize negligent software developers directly.
What This Means for Families
For parents and educators, these federal actions mark a shift toward data minimization. This means companies should only collect the data they absolutely need to run their services, and delete it as soon as possible. Rather than allowing software vendors to build permanent profiles on children throughout their school years, the FTC is forcing a change.
If your child uses classroom portals, their personal data is likely sitting in multiple cloud databases. When edtech vendors do not practice clean data hygiene, that information remains vulnerable to extortion and identity theft long after your child has left the school district.
What You Can Do
- Ask your school principal or district tech director if their vendor contracts include mandatory data deletion clauses. Software companies should not hold onto student files once a child advances to the next grade.
- Urge your district to require multi-factor authentication on all staff portals and central platforms like Canvas or PowerSchool, since human error is the leading entry point for hackers.
- Demand transparency regarding how quickly your school is notified when a vendor experiences a security incident. The FTC's order specifically penalizes companies that delay notifying schools about compromised student files.