DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Personal and sensitive data of 59,000 charter school students in California leaked: researcher

Posted on December 12, 2015 by Dissent

California Virtual Academies (CAVA)  is a network of 11 publicly funded charter k-12 schools in California. Researcher Chris Vickery recently contacted DataBreaches.net after he found a database with  58,694 of their students’ records leaking. In addition to a lot of personal information on the students that was all in plain text, the leaking data included some information on student disabilities and special education needs, services, and goals – again, all in plain text.

Here are redacted screencaps from two of the directories, just to give you an idea of what kind of information was vulnerable to access. The first screencap is from a case notes directory and has information about a therapy session with service provider:

case_note_example

Another directory contains special education profiles that contain the student’s date of birth, gender, ethnicity, grade, whether they have an I.E.P. (Individualized Education Program) and if so, what the goals are. There is also a section if the student has a 504 plan, and if so, what the reasons are for it. The profile also indicates whether the student is on a reduced fee or free lunch program. Social Security numbers do not appear to be included in this directory:

special_ed_profile_example

Yet another file, a spreadsheet, includes students’ full names, gender, birthday, school of attendance, grade, their Student Id, Special Education status, their teacher’s names, and their teacher(s)’ contact information. The matching of the student ID number to the full name has privacy implications for aggregating or matching other data.

According to CAVA’s web site, the students’ records are covered by FERPA.

Employee Payroll Data Also Leaked

The database also contains employee information on what Vickery estimated as approximately 17,000 employees: first and last names, email addresses,  Social Security numbers, and payroll information – all in plain text. Curiously, encrypted passwords were immediately followed by the passwords in plain text:

1_redact

CAVA’s Response

When contacted by Vickery about the exposure, CAVA responded promptly and ensured their database was secured.

DataBreaches.net requested a statement from CAVA asking for how long these data were exposed, whether the data had been accessed by anyone other than Vickery, and whether they intended to notify parents of students and employees.

Jeff Kwitowski, a spokesperson for k12, CAVA’s education and technology provider, informs DataBreaches.net that CAVA’s database was on the server of  a third party vendor who was responsible for it. Schools can contract with k12 for infosecurity services or independently contract with another provider. In this case, CAVA did not contract with k12 to manage and secure its database. According to Kwitowski, when Vickery contacted CAVA, CAVA immediately contacted k12, and although k12 was not responsible for the security of the database, k12‘s IT department immediately did their due diligence, confirmed the leak, and contacted the third party contractor to alert them. k12  IT personnel also investigated to determine whether any other schools they provide services to might also have databases at risk.

At the time of this posting, the unnamed contractor is reportedly auditing the system to identify any unauthorized IP addresses that may have gained access, and is also running additional security checks.  It is not yet clear for how long the student and employees’ information may have been vulnerable, nor whether any other clients of the unnamed contractor may have been similarly affected. DataBreaches.net has submitted a public records request to CAVA for a copy of their contract with the third-party vendor responsible for securing their database.

“Data security is paramount,” Kwitowski tells DataBreaches.net. “k12and CAVA will continue to investigate, collect more information, and notify affected  individuals as needed.”

This post will be updated as more information becomes available. Great thanks to Chris Vickery for alerting me to this leak.

Category: Breach IncidentsEducation SectorExposureOf NoteSubcontractorU.S.

Post navigation

← OPM Gives Green Light to Start Submitting Data Breach Verification Requests
NZ: Data breaches at Television New Zealand →

2 thoughts on “Personal and sensitive data of 59,000 charter school students in California leaked: researcher”

  1. Stacie Bailey says:
    December 14, 2015 at 9:02 pm

    Hi, I am a current teacher at CAVA. I would like to have more information on this data breach. Please contact me.

    1. Dissent says:
      December 14, 2015 at 9:33 pm

      This site cannot contact nor assist individual requests. I suggest you contact your employer and ask them to explain the breach to you. As you can see from the screencap in my report, payroll info with SSN was exposed, but whether other people accessed it/downloaded it (other than the researcher who shared it with me) is something only CAVA can tell you from their audit of their logs.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.