Back in December, this site broke the story of a misconfigured database affecting students and faculty at California Virtual Academies. The leaky database had been uncovered by independent researcher Chris Vickery, who estimated the number affected at 59,500. CAVA would subsequently inform this site that an unnamed vendor was responsible for the misconfiguration.
Today, CAVA submitted a copy of its breach notice to the California Attorney General’s Office. The metadata for their submission indicates that 15,500 were affected. That number applies to the employees, as the notification is to them and offers them free credit monitoring services. It’s not clear to me whether CAVA will also be submitting a letter that addresses the exposure of student information.
The notification letter indicates that there was no evidence of any access to the database other than by the researcher, who they thank without naming.
They do not name the vendor, but investigation by DataBreaches.net supplemented by a FOI request revealed that the vendor was FusionPlus, Inc.