They Sold Software to Schools. They Handed Over Your Kids’ Secrets.

A company with access to the most intimate details of over 10 million children’s lives — their foster care status, their disabilities, their homelessness, their mental health records — failed to protect any of it, and the federal government had to force them to stop.

The Company in Your Child’s School You’ve Never Heard Of

Inside the Classroom, Inside Your Family’s Private Life

Illuminate Education, Inc. operated out of Wisconsin Rapids, Wisconsin, and positioned itself as an essential technology partner for K-12 school districts across America. Its product suite included tools named eSchoolData, eduCLIMBER, DnA, FastBridge, and SchoolCity. Schools used these platforms to track students’ academic performance, intervention needs, behavioral records, and demographic backgrounds.

The problem is that the data these tools collected extended far beyond test scores. When a school district signed a contract with Illuminate, they handed over an extraordinary amount of trust — and an extraordinary amount of their students’ most private information. The families affected had no idea this company existed, let alone that it was sitting on files that could define, damage, or destroy a child’s future opportunities.

The FTC’s involvement confirms this reached a threshold of harm serious enough to require federal intervention. The agency found reason to believe Illuminate violated the Federal Trade Commission Act, which is the foundational consumer protection law in the United States. That is the government telling you, plainly, that what this company did was wrong.

The Products That Opened the Door

Every one of Illuminate’s named products falls under the legal definition of a “Covered Product” in the FTC’s order. That classification means every single one of these tools was collecting and processing data on children. The company built its entire business model around accessing the most sensitive data ecosystem in America: public school records.

Schools trusted Illuminate because the company presented its tools as solutions for identifying struggling students and improving outcomes. That framing made it easy for administrators to hand over student data without fully reckoning with what could happen if Illuminate failed in its responsibility to protect it.

The Non-Financial Ledger: What These Kids Actually Lost

The Files That Follow a Child Forever

The FTC’s Order defines “Covered Information” with brutal specificity. It includes a child’s first and last name, home address, email address, phone number, date of birth, and government-issued ID numbers. It includes login credentials. It includes medical history, prescription information, physical and mental health testing results, health insurance information, and physician notes. Every one of those categories represents something a child’s family shared with a school in an act of trust, never imagining it would end up in a company’s inadequately secured database.

Then the list gets darker. The Order explicitly covers foster care status, homelessness status, economic status, disability information, special education needs information, and disciplinary incident information. These are the kinds of records that mark a child as different, as vulnerable, as someone the system has already flagged. A foster kid who ages out of the system doesn’t need a data breach following them into adulthood. A child in a homeless shelter doesn’t need their housing instability sitting in an unsecured server somewhere. These records carry stigma, and Illuminate held them without adequate protection.

The Consent Agreement Protects the Company, Not the Children

When Illuminate signed its Consent Agreement with the FTC, it did so under a clause that states it “neither admits nor denies any of the allegations in the draft Complaint.” That legal maneuver is standard practice, but it is worth sitting with what it means in plain language: the company that held the most sensitive records of over 10 million children will never, in any official legal record, have to say it did anything wrong. The families of those 10 million kids get no acknowledgment. They get no apology. They get the knowledge that the government stepped in, issued an order, and moved on.

The data categories in this case are a taxonomy of childhood vulnerability. Disciplinary incident information means records of suspensions, behavioral interventions, or school-based infractions. In a world where background checks scrape every available digital source, that kind of data can follow a teenager into a job interview or a college application. Special education needs information can expose a child’s learning disabilities, cognitive assessments, or IEP records — documents that are supposed to be protected under federal education privacy law. Illuminate held all of it, across multiple product lines, at scale.

The Database of Vulnerable Children That Nobody Asked For

Consider what the complete file on a single child in Illuminate’s system could look like: their full name, their home address, their date of birth, a government ID number, their login credentials, records of a psychiatric evaluation, documentation of a learning disability, a note that they are in foster care, and a record of a school suspension. That profile, assembled from the legitimate educational tools Illuminate sold to schools, constitutes an extraordinarily detailed portrait of a vulnerable minor. No parent consented to a private corporation holding that dossier. The school district handed it over because they were paying for software, and the software required it.

Legal Receipts: What the Documents Actually Say

These are verbatim passages from the FTC’s official Decision and Order and related consent documents. This is the paper trail. Read it yourself.

“The Commission considered the matter and determined that it had reason to believe that Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect.” — FTC Decision and Order, Official Findings Section

“‘Covered Information’ means information from or about an individual consumer used, collected or retained in connection with a Covered Product including: . . . (j) student demographic information (such as foster status, homelessness status, economic status, other population characteristics); (k) disability information; (l) special education needs information; or (m) disciplinary incident information.” — FTC Decision and Order, Definitions Section C

“Respondent and BCP thereafter executed an Agreement Containing Consent Order (‘Consent Agreement’). The Consent Agreement includes: (1) statements by Respondent that it neither admits nor denies any of the allegations in the draft Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction.” — FTC Decision and Order, Decision Section

“‘Medical Information’ means information relating to the health of an individual consumer, including but not limited to medical history information, prescription information, physical or mental health testing information, health insurance information, or physician exam or health professional notes.” — FTC Decision and Order, Definitions Section G

“Proposed Respondent agrees that service of the Order may be effected by its publication on the Commission’s website (ftc.gov), at which time the Order will become final. . . . Proposed Respondent understands that it may be liable for civil penalties and other relief for each violation of the Decision and Order after it becomes final.” — Agreement Containing Consent Order, Section 5 and Section 8

Societal Impact: The Damage Spreads Further Than One Company

Public Health: When Mental Health Records Become Liabilities

The FTC’s definition of “Medical Information” in this case is sweeping. It covers medical history, prescription information, physical or mental health testing information, health insurance information, and physician exam or health professional notes. For school-age children, this category almost certainly includes records from psychological evaluations, counseling sessions conducted through school-based mental health programs, and assessments done to determine special education eligibility. These records are among the most sensitive a person can have.

When records this sensitive are inadequately protected, families face concrete public health consequences. Parents may stop bringing children to school-based counseling programs because they no longer trust that the records are safe. Teenagers with anxiety, depression, or behavioral health needs may refuse evaluation because they fear what happens to those files. The documented failure of a company like Illuminate doesn’t just harm the kids whose data was already exposed; it actively discourages future children from accessing mental health services they desperately need.

The “special education needs information” category compounds this further. Federal law under IDEA (the Individuals with Disabilities Education Act) already creates a complex system of rights and protections around these records. When a private EdTech company holds this data without adequate security, it creates a gap between the protections federal law intends and the protection families actually receive. That gap is where real harm lives.

Economic Inequality: The Most Vulnerable Kids Were the Most Exposed

Look at the demographic data categories Illuminate held: foster status, homelessness status, and economic status. These categories exist in school systems because schools use them to identify students who need additional resources and support. Identifying a child as homeless or economically disadvantaged is supposed to unlock help, not create a new vector of risk. But when the company holding that data fails to protect it, the families least equipped to deal with a data breach — already navigating housing instability or the foster care system — bear the greatest exposure.

Data brokers, insurance companies, employers, and financial institutions all operate in ecosystems where the kind of demographic information Illuminate held has monetary value. A child identified as economically disadvantaged in a school record today could face higher insurance premiums, predatory financial product targeting, or employment discrimination fifteen years from now based on a data trail that traces back to a failed software company’s inadequate security practices. The families least able to monitor or fight these consequences are exactly the families whose data was flagged as most sensitive.

The EdTech industry has industrialized access to student data at a scale that would have been unimaginable a generation ago. Companies like Illuminate embed themselves into the daily operations of public school districts, accumulate data across millions of children and years, and then operate with data security standards that the FTC found reason to believe violated federal law. The communities that rely most heavily on public school infrastructure — lower-income communities, communities of color, rural districts with fewer resources to vet vendors — are the communities most exposed when these companies fail.

What Now: Fight Back, Don’t Wait

The People Responsible

The Consent Agreement was signed by Chris Bauleke, President and Chief Executive Officer of Illuminate Education, Inc. The FTC enforcement was led by Bhavna Changrani and Robin Rosen Spector of the Bureau of Consumer Protection, approved by Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, and Christopher Mufarrige, Director of the Bureau of Consumer Protection.

Regulatory Watchlist: Bodies That Should Be On This

• FTC — Federal Trade Commission: Already involved. Monitor their enforcement actions at ftc.gov. Submit public comments on any new EdTech investigations.
• CFPB — Consumer Financial Protection Bureau: Relevant when data exposure enables predatory financial targeting of vulnerable families.
• U.S. Department of Education: Oversees FERPA (Family Educational Rights and Privacy Act) compliance. File complaints if your school district shared student data without proper safeguards.
• State Attorneys General: Many states have their own student data privacy laws. Contact your state AG’s office if you believe your child’s records were compromised.
• OSHA and State Labor Agencies: If school staff data was also involved, occupational data privacy protections may apply.

What You Can Actually Do Right Now

Start local. Request a full list of every third-party EdTech vendor your child’s school district uses, and ask each district what data they share with each vendor. Under FERPA, you have the right to inspect your child’s educational records. Use it. Connect with parent-teacher organizations, school board advocacy groups, and local privacy rights organizations that are already fighting EdTech data exploitation at the district level. The school board is elected. Make data privacy a campaign issue. Collective pressure on local procurement decisions — which vendors get contracts, what data protections are required in those contracts — is the most direct lever available, and it doesn’t require a lawyer or a lobbyist to pull it.