DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NC: UCPS student information made vulnerable due to insufficient security protections by vendor, superintendent says

Posted on October 28, 2022 by Dissent

WBTV Web Staff and Nick Ochsner report:

 Private information of students at schools districts and charter schools across the state were left vulnerable by a software misconfiguration by a third-party vendor, Union County Public Schools Superintendent Andrew Houlihan told parents in a letter this week.

According to the letter, the misconfiguration came after iLeadr, a company used by multiple school districts and charter schools, stored records in a cloud-based storage container without sufficient security protections.

Read more at WBTV.

Incident  First Reported to NC by DataBreaches

DataBreaches first reported the i-LEADR incident to North Carolina after reaching out via Twitter on July 22.  The misconfigured blob had been discovered by a researcher who had contacted DataBreaches after finding it in routine searches.  Neither the researcher nor DataBreaches could definitively determine who owned the blob. All we could tell for sure was that public school students in North Carolina were having their personal information exposed improperly.

Within hours of DataBreaches’ tweet requesting notification assistance, this site was contacted by North Carolina’s cybersecurity strike team (NCLGISA). The strike team is a group of volunteers who are all CIOs or deputy CIOs in local governments.

Within hours, they contacted DataBreaches again to report that they had conclusively determined the source of the leak and had already taken steps to get data locked down and appropriate entities notified.

What Did i-LEADR Do in Response?

But who was notified by i-LEADR?  Did the vendor notify a single family or a single school district client?

Earlier this week, DataBreaches sent an inquiry to i-LEADR asking about their incident response and who they notified in states other than North Carolina. In hindsight, the inquiry probably should have also asked them if they had notified any client in North Carolina. Despite a second request, a reply has yet to be received to DataBreaches’ inquiries.

DataBreaches was aware that the blob reportedly had more than 700,000 folders being updated, but that does not mean there were 700,000 unique students.  But it did indicate that there was a lot of data stored on that blob without adequate security.

As far as DataBreaches can determine, i-LEADR hasn’t disclosed the leak on their website. Nor has DataBreaches found any press releases or media notices.

Did i-LEADR have adequate logs to determine any access to the blob?  When was the blob first exposed?

Is i-LEADR monitoring the dark web to see if any data show up for sale or free download?

i-LEADR is a signatory to the Student Privacy Pledge. One might have hoped for and expected more transparency from them.

North Carolina Responds

Kudos to North Carolina for their prompt response to DataBreaches’ notification to them. They have issued their own press release this week:

On the afternoon of July 22nd, DPI began investigating a report of potential data exposure with the vendor i-Leadr.com. This vendor was contracted directly with the impacted Public School Units (PSUs) and not through NCDPI.

As soon as NCDPI was notified, the agency worked promptly and activated the cyber incident plan working directly with NC Department of Information Technology (NCDIT) and other members of the Joint Cyber Task Force (JCTF).

Together the agencies and impacted PSUs conducted a thorough investigation and took immediate actions to protect student data. Appropriate law enforcement agencies were involved with the investigation.

Because of the nature of the investigation, and in accordance with North
Carolina General Statute Section 132-1.4, NCDPI is not able to confirm which PSUs were affected. But NCDPI can confirm that respective legal counsels for any impacted PSUs were notified within the affected PSUs on July 25, 2022. To the extent that any notification is required, it will originate from the PSU to the impacted individuals.

There is Much We Do Not Know

Even though i-LEADR had not contracted with the state itself, North Carolina notified affected school district units in North Carolina and at least one affected PSU, Union County Public Schools, decided that notifications to parents were required. That district also stopped using I-LEADR’s services after they became aware of the incident. Did any other districts notify parents? Did any other districts stop using i-LEADR?  DataBreaches does not know.

The Superintendent’s letter does not indicate when the blob was first exposed without security. Were they given that information by i-LEADR? Does i-LEADR even know?

Did i-LEADR reach out to its clients to alert them to this incident? We do not know and i-LEADR did not respond to inquiries. Were any districts in other states notified by i-LEADR?

DataBreaches sent an inquiry to the U.S. Education Department about this incident and to ask whether USED notified districts in other states or other states about this incident. No reply has been received.

Because i-LEADR signed the Student Privacy Pledge, maybe the Future of Privacy Forum, The Software & Information Industry Association (SIIA), and those involved in advocating for greater security and data protection in EdTech such as K12 Six should investigate this incident and determine whether i-LEADR’s data security and incident response are compatible with best practices or not.


 

Article edited post-publication. 

Category: Education SectorExposureOf NoteSubcontractorU.S.

Post navigation

← AU: Police called after SA Liberal Party caught up in alleged data breach
Bits ‘n Pieces (Trozos y Piezas) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.