DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Personal and sensitive data of 59,000 charter school students in California leaked: researcher

Posted on December 12, 2015 by Dissent

California Virtual Academies (CAVA)  is a network of 11 publicly funded charter k-12 schools in California. Researcher Chris Vickery recently contacted DataBreaches.net after he found a database with  58,694 of their students’ records leaking. In addition to a lot of personal information on the students that was all in plain text, the leaking data included some information on student disabilities and special education needs, services, and goals – again, all in plain text.

Here are redacted screencaps from two of the directories, just to give you an idea of what kind of information was vulnerable to access. The first screencap is from a case notes directory and has information about a therapy session with service provider:

case_note_example

Another directory contains special education profiles that contain the student’s date of birth, gender, ethnicity, grade, whether they have an I.E.P. (Individualized Education Program) and if so, what the goals are. There is also a section if the student has a 504 plan, and if so, what the reasons are for it. The profile also indicates whether the student is on a reduced fee or free lunch program. Social Security numbers do not appear to be included in this directory:

special_ed_profile_example

Yet another file, a spreadsheet, includes students’ full names, gender, birthday, school of attendance, grade, their Student Id, Special Education status, their teacher’s names, and their teacher(s)’ contact information. The matching of the student ID number to the full name has privacy implications for aggregating or matching other data.

According to CAVA’s web site, the students’ records are covered by FERPA.

Employee Payroll Data Also Leaked

The database also contains employee information on what Vickery estimated as approximately 17,000 employees: first and last names, email addresses,  Social Security numbers, and payroll information – all in plain text. Curiously, encrypted passwords were immediately followed by the passwords in plain text:

1_redact

CAVA’s Response

When contacted by Vickery about the exposure, CAVA responded promptly and ensured their database was secured.

DataBreaches.net requested a statement from CAVA asking for how long these data were exposed, whether the data had been accessed by anyone other than Vickery, and whether they intended to notify parents of students and employees.

Jeff Kwitowski, a spokesperson for k12, CAVA’s education and technology provider, informs DataBreaches.net that CAVA’s database was on the server of  a third party vendor who was responsible for it. Schools can contract with k12 for infosecurity services or independently contract with another provider. In this case, CAVA did not contract with k12 to manage and secure its database. According to Kwitowski, when Vickery contacted CAVA, CAVA immediately contacted k12, and although k12 was not responsible for the security of the database, k12‘s IT department immediately did their due diligence, confirmed the leak, and contacted the third party contractor to alert them. k12  IT personnel also investigated to determine whether any other schools they provide services to might also have databases at risk.

At the time of this posting, the unnamed contractor is reportedly auditing the system to identify any unauthorized IP addresses that may have gained access, and is also running additional security checks.  It is not yet clear for how long the student and employees’ information may have been vulnerable, nor whether any other clients of the unnamed contractor may have been similarly affected. DataBreaches.net has submitted a public records request to CAVA for a copy of their contract with the third-party vendor responsible for securing their database.

“Data security is paramount,” Kwitowski tells DataBreaches.net. “k12and CAVA will continue to investigate, collect more information, and notify affected  individuals as needed.”

This post will be updated as more information becomes available. Great thanks to Chris Vickery for alerting me to this leak.

Category: Breach IncidentsEducation SectorExposureOf NoteSubcontractorU.S.

Post navigation

← OPM Gives Green Light to Start Submitting Data Breach Verification Requests
NZ: Data breaches at Television New Zealand →

2 thoughts on “Personal and sensitive data of 59,000 charter school students in California leaked: researcher”

  1. Stacie Bailey says:
    December 14, 2015 at 9:02 pm

    Hi, I am a current teacher at CAVA. I would like to have more information on this data breach. Please contact me.

    1. Dissent says:
      December 14, 2015 at 9:33 pm

      This site cannot contact nor assist individual requests. I suggest you contact your employer and ask them to explain the breach to you. As you can see from the screencap in my report, payroll info with SSN was exposed, but whether other people accessed it/downloaded it (other than the researcher who shared it with me) is something only CAVA can tell you from their audit of their logs.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.