College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data

[HempBoosh]

Summary

An unsecured Amazon S3 (Simple Storage Service) was left in the open which contained nearly 1 million records of sensitive high school student academic information. Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.

 

Quotes

Quote

 

The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials.

Because the data leaks concern minors (being high school students) aged 13-18, this leak seems particularly sensitive.

 

Quote

 

On May 22, we reached out to CaptainU to help them secure their database. When we received no response from the company, we contacted Amazon on June 1 to get the issue fixed. However, while they were able to secure the indexing on June 9, the files are still accessible.

Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available.” But it seems that CaptainU never mentioned this fact to the students or their parents.

 

Quote

 

Let’s look at some examples of the sensitive academic records that the CaptainU database is leaking.

Here’s what looks to be an ID with the student’s name, GPA, SAT score, high school, phone number and email address:

 

My thoughts

This is especially bad because it's affecting young people who aren't necessarily that experienced with dealing with online scams or phishing. All of this leaked data could make them potential targets to various scams. Hopefully nothing bad will come of this.

 

Sources

https://cybernews.com/security/college-recruitment-database-leaking-nearly-1-million-students-gpas-sat-scores-ids-and-other-personal-data/

[Sauron]

Imagine being this incompetent.

[FancyPants101]

This stuff needs to start being considered intentional by companies and their employees and dealt with accordingly. That is how you deal with this sort of thing responsibly. Data is not secure from the inside. This is one method. You don't need to prove intent. Intent is just incompetency when someone does it long enough to be sleezy. That is how you deal with liars and incompetency to stop people from lieing(feigning incompetency) and then doing it more. One is just an extremity of the other.

 

We basically know tech industries have been blackmaled out of positions. You can guess why(At least part of it.). (BTW, blackmail in the US is supposed to make any info and evidence from the blackmaile illegal to to use in court to stop abuses. The government not doing this is a literal conspiracy and must be treated as such by law in regards to the government. On top of other things US law is primarily designed to stop corruptions from and using the government. What you might call corruption in high places.)

 

The use of blackmale data is a base issue the judicial system and congress cannot change without being violators of the law. It's automatic. They just say otherwise to convince people it's legal and carry out crimes.

[leadeater]

9 minutes ago, Sauron said:

Imagine being this incompetent.

No don't worry there is no issue at all, it was supposed to be open to the public for all to see.

 

Quote

An Amazon representative then informed us that CaptainU intended this information to be publicly available

 

So no problem right? 

[Sauron]

Just now, leadeater said:

No don't worry there is no issue at all, it was supposed to be open to the public for all to see.

 

 

So no problem right? 

YEAH GUYS WE TOTALLY MEANT IT LIKE THIS 

[Master Disaster]

I'm a little more worried about Amazons response tbh. They were told their service is hosting a public facing database of personal information, of high school kids no less, and it takes them 9 days to do anything yet what they do do does nothing about the actual issue?

 

Amazon should have pulled the entire thing down and told its owner that it stays down until such a time as its secured properly.

 

Its at least understandable how a non IT company could make a mistake like this (not saying its OK) but Amazon know exactly how to deal with it and have the power to do so, they just decided not to.

[FancyPants101]

They need to be treated as doing this with full intent and dealt with accordingly. If it's in the US that is the only legal answer. Their words and actions solidify this. this stuff must be treated as intentional info access or it will never stop and will keep getting worse. and it needs to be treated this where with everything. Not that we will get that or not get it being twisted to do worse things sadly.

[Bombastinator]

I strongly suspect that is the end of captainU.  If I worked there I’d be packing up my desk and sending out resumes on the company printer before it gets seized.

[AlexTheGreatish]

At this point the people who deal with digital security need to be held to the same code of conduct as other professionals like Engineers and Doctors.  People that can potentially leak a million peoples addresses should be treated like people that can cause a bridge to collapse.

[spartaman64]

9 hours ago, Master Disaster said:

I'm a little more worried about Amazons response tbh. They were told their service is hosting a public facing database of personal information, of high school kids no less, and it takes them 9 days to do anything yet what they do do does nothing about the actual issue?

 

Amazon should have pulled the entire thing down and told its owner that it stays down until such a time as its secured properly.

 

Its at least understandable how a non IT company could make a mistake like this (not saying its OK) but Amazon know exactly how to deal with it and have the power to do so, they just decided not to.

nah its totally intended for all the student's mailing addresses to be publicly available 

[HempBoosh]

16 hours ago, AlexTheGreatish said:

At this point the people who deal with digital security need to be held to the same code of conduct as other professionals like Engineers and Doctors.  People that can potentially leak a million peoples addresses should be treated like people that can cause a bridge to collapse.

Definitely, we're living in the information age and our data is becoming more and more valuable. It's good that at least there are bug bounties and independent security researchers that can double check the integrity of existing systems or find leaked data. I don't want governments to regulate the internet too much, even for the sake of security, so we should do what we can to make sure everything stays secure.