DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Vendor used by schools to register students for AP and PSAT exams left personal information of thousands students unsecured

Posted on May 9, 2019 by Dissent

A school contractor that provides online registration so students can sign up for AP and PSAT exams misconfigured their cloud storage, exposing students’ and parents’ personal information.

A number of school districts or schools contract with a firm in Colorado called Total Registration, who, according to their web site, registered more than 525,000 students from more than 1,220 schools in 2018.

In early April, DataBreaches.net was contacted by a researcher who had discovered that Total Registration had failed to secure their Amazon bucket, leaving student and parent information exposed in plain text, without any password required to access it.

DataBreaches.net reached out to the firm to notify them, and received an acknowledgement that the problem had been taken care of.  But the firm did not respond when this site subsequently sent them an inquiry as to whether they were notifying any students or their client school districts about the exposure.

In the absence of an answer about notification, DataBreaches.net took a closer look at what was in the files provided to this site by the researcher.

One type of file was mail merge spreadsheets.  Cursory analysis of those files showed that they contained students’ last and first names, their student ID number, their email address (which in many cases was a school-issued email address), their parent’s email address, their telephone number, their postal address, the AP exams they were registering to take, as well as when the exam would be and who was proctoring it.

In the mail merge files,  there was data for almost 13,000 students from Chandler School District in Arizona, St. Vrain Valley School District in Colorado, Community High School District 117 in Illinois, Utica Community Schools in Michigan, Edina Public Schools in Minnesota, Wake County Public Schools in North Carolina, Wausau School District in Wisconsin, Fox Chapel Area School District in Pennsylvania, Cherokee County School District in Georgia, Woodland Joint Unified School District in California, Pflugerville Independent School District (ISD) in Texas, Cypress Fairbanks ISD in Texas, Friendswood ISD in Texas, Midway ISD in Texas, RoundRock ISD in Texas, Lewisville ISD in Texas, Duncanville ISD in Texas, and Garland ISD in Texas.

And that was just the mail merge files. There were hundreds of other files that each contained data on hundreds of students. Some of the students with data in the other files were from the districts named above, but there were students from hundreds of other districts throughout the country as well, as the partial list below suggests:

Partial listing of files unsecured bucket.

Some of the files contained students’ date of birth, as well as additional demographic information on students and their parents.  A quick analysis of files in one directory returned approximately 300,000 unique email addresses. If there were two email addresses for each student (one the student’s and one their parent’s), that would suggest that there were approximately 150,000 students’ whose data may have been in the unsecured files.

DataBreaches.net redacted a registration confirmation file for a student from Miller Place School District in New York. As you can see, the form contained information about the student and parents:

AP_exam_registration_confirmation_Redacted
 

Miller Place School District was sent a notification and inquiry on May 7, but did not respond.

DataBreaches.net sent email notifications to a few other school districts as well, inquiring whether they had been notified of any potential leak by the vendor, and providing them with some student data from the exposed files that they could use to verify whether the data was indeed, student data.  DataBreaches.net got no response from the few schools this site emailed, but did get an immediate response to a voicemail left for St. Vrain Valley School District in Colorado.  Kudos to them for their prompt response.

If you are the parent of a student who signed up for an AP test, the PSAT, or an IB examination in April, you may want to inquire whether your child’s school used TotalRegistration.net as their vendor for the sign-ups.  From my brief analysis of the exposed data, it appears to be a time-limited database, i.e.,this is not a cumulative database with past records, but just contained registrations for then-upcoming tests.

Category: Education SectorExposureSubcontractorU.S.

Post navigation

← Augustana Colleges reports a ransomware attack
Member of Sophisticated China-Based Hacking Group Indicted for Series of Computer Intrusions, Including 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 Million People →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.