Federal regulators have moved against a major education-technology provider after uncovering what they describe as years of serious security failures that left sensitive information on more than ten million students exposed.
The Federal Trade Commission announced an action against Illuminate Education, alleging the company stored student data in plain text, ignored repeated vulnerability warnings, and misrepresented the strength of its security practices to school districts nationwide. Hackers accessed the company’s databases in 2021, but according to the FTC, some districts weren’t notified for nearly two years.
The proposed order would require Illuminate to implement a full information-security overhaul, adopt strict data-retention limits, and notify the FTC whenever it reports future breaches to authorities. Any violation of the order could trigger penalties exceeding $50,000 per incident.
The case signals growing federal scrutiny of the ed-tech sector, where companies routinely handle large volumes of sensitive data on minors but often operate without the level of security oversight applied to other industries. Regulators say the message is simple: if a vendor handles student data, it must protect it—and delays or assurances won’t paper over systemic failures.
