DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Leaking Student Data From US Campus App Found — But is It Real?

Posted on June 7, 2022 by Dissent

Another day, another leak.

Another leak, another entity claiming it’s not real data.

Another leak, another frustrating experience trying to responsibly disclose.

According to Safety Detectives, they found exposed data related to an app called Transact Campus:

 Transact Campus’ technology integrates several payment functions into a single mobile platform to power student purchases at higher education institutions. Transact Campus’ services streamline payment processes for students and institutions alike.

An Elasticsearch server containing data related to Transact Campus was left unsecured, without any password protection, and has therefore exposed over 1 million student records.

Both payment and personal information were implicated in the leak:

    • Full names
    • Email addresses
    • Phone numbers
    • Login credentials in plain text, incl. usernames and passwords
    • Transaction details, incl. amount and time of purchase
    • Credit card details (incomplete), incl. 6 first digits (BIN*) and last 4 digits of credit card numbers, expiry dates, and bank details
    • Purchased meal plans and meal plan balances

*Note: A Bank Identification Number (BIN) is the first six digits of a payment card number. These numbers identify the card issuer.

But according to Transact Campus, who finally responded more than one month later to attempts to notify them, the leaking server was not under their control and the data weren’t real:

Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.

But Safety Detectives was apparently not convinced of that, and added a note:

NOTE: We checked a sample of users on the open Elasticsearch and this data seemed to belong to real people.

Read more at Safety Detectives. This sounds like Transact Campus will not be going further with the notification, and who is the third party who might be responsible? And were the data real? It would be great if there was some regulator who, you know, might actually investigate the incident to determine if notifications should be made.

No related posts.

Category: Education SectorExposureSubcontractor

Post navigation

← LockBit tries to get media’s attention for their response to a Mandiant analysis
Shields Health Care Group notifies 2,000,000 patients after hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.