Regulator says Illuminate ignored years of warnings, stored kids' data in plain text, and kept districts in the dark

US edtech provider Illuminate Education just got dinged by the Federal Trade Commission for allegedly failing to keep an attacker from pilfering data on 10 million students.

The FTC has demanded changes from the company, but did not issue any fines or criminal charges, after an incident in late December 2021 in which a miscreant used the credentials of a former employee – someone who'd left the company more than three years earlier – to breach the edtech firm's cloud-based database.

The breach at Illuminate exposed highly-sensitive records tied to 10.1 million students: email and postal addresses, dates of birth, student records, and even health-related information.

Illuminate had marketed itself to school districts as a trustworthy custodian of student information, promising to handle data "as if it's our own" and using contract language that portrayed its security posture as compliant with best practices, including encryption and the usual ...