DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Leaking Student Data From US Campus App Found — But is It Real?

Posted on June 7, 2022 by Dissent

Another day, another leak.

Another leak, another entity claiming it’s not real data.

Another leak, another frustrating experience trying to responsibly disclose.

According to Safety Detectives, they found exposed data related to an app called Transact Campus:

 Transact Campus’ technology integrates several payment functions into a single mobile platform to power student purchases at higher education institutions. Transact Campus’ services streamline payment processes for students and institutions alike.

An Elasticsearch server containing data related to Transact Campus was left unsecured, without any password protection, and has therefore exposed over 1 million student records.

Both payment and personal information were implicated in the leak:

    • Full names
    • Email addresses
    • Phone numbers
    • Login credentials in plain text, incl. usernames and passwords
    • Transaction details, incl. amount and time of purchase
    • Credit card details (incomplete), incl. 6 first digits (BIN*) and last 4 digits of credit card numbers, expiry dates, and bank details
    • Purchased meal plans and meal plan balances

*Note: A Bank Identification Number (BIN) is the first six digits of a payment card number. These numbers identify the card issuer.

But according to Transact Campus, who finally responded more than one month later to attempts to notify them, the leaking server was not under their control and the data weren’t real:

Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.

But Safety Detectives was apparently not convinced of that, and added a note:

NOTE: We checked a sample of users on the open Elasticsearch and this data seemed to belong to real people.

Read more at Safety Detectives. This sounds like Transact Campus will not be going further with the notification, and who is the third party who might be responsible? And were the data real? It would be great if there was some regulator who, you know, might actually investigate the incident to determine if notifications should be made.

Category: Education SectorExposureSubcontractor

Post navigation

← LockBit tries to get media’s attention for their response to a Mandiant analysis
Shields Health Care Group notifies 2,000,000 patients after hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.