It may be hard to resist naming a database after a favorite movie, but a database named “Coruscant” caught a researcher’s eye when the researcher was searching Shodan.io for exposed databases. And the rest, as they say, well… read on.
The Cambridge Institute of International Education (CIIE) is a Boston-based educational consulting firm whose mission is to boost the enrollment of international students in U.S. schools. Their web site indicates that they partner with over 200 private high schools, public high schools, colleges and universities. According to a statement by their corporate counsel to this site, any records they maintain on students are not covered by FERPA.
Unfortunately, Cambridge has joined the all-too-numerous ranks of entities that failed to adequately secure a MongoDB database hosted on Amazon cloud services. As a result, a lot of personal information on students and their hosting families would have been viewable by anyone without any login required. One folder, for example, contained over 627,000 records, although that is records and not unique students.
MacKeeper Security Research alerted this blogger to the situation because they had not gotten a response to their attempt to notify Cambridge via e-mail. Yesterday morning, this site attempted notification via Cambridge’s web site contact form. Getting no response after one hour, and concerned by the exposed personal information, DataBreaches.net called Cambridge directly. Within a matter of minutes, the database was secured.
As MacKeeper Security Research reports, there was a lot of personal information that had been exposed:
…. names, emails, passwords, phones, account details, relatives (sic) info, passport details (all in plain text). Plus there was even correspondence records between the Cambridge Institute of International Education team members, and housing reports and working links to the pdf’s and payment confirmations.
In addition, there was an additional collection of records that included the detailed information of 12,000+ hosting houses, including the information on a household, family member details (such as medical conditions, if any, religious beliefs, even frequency of attending religious activities), occupation details, incl. emails and phones, birthdates, and other extremely sensitive data on the personal privacy of the host families.
The screen shots below were provided to DataBreaches.net by MacKeeper:
In Fig. 2, both the student’s full name and the host family’s full name were included in the record with notes on their adaptation to the host family and school, health, and behavior. The school’s name was also included.
A lot of other personal information was included in other records on the hosting family. A redacted copy of one such record has been uploaded here (.pdf).
In response to DataBreaches.net’s notification, CIIE promptly secured the database, conducted a preliminary investigation, and then called DataBreaches.net to report their preliminary findings. According to statements made during that conversation, the database, which had been used for testing purposes, was first exposed in December, 2015. Preliminary investigation revealed that it had been accessed three times since then prior to the MacKeeper researchers discovering it on June 4. The access in those prior instances was reportedly only for a few minutes each, and CIIE does not believe that the data were copied or downloaded by others, but they are continuing their investigation.
According to CIIE IT personnel on the phone call with DataBreaches.net, there were approximately 7,000 students who had data in that database (but see their subsequent statement, below, with a somewhat higher estimate).
In response to the incident, CIIE has made the decision to notify those affected. They will also be posting a notice on their web site, and have provided DataBreaches.net with a preliminary statement:
The Cambridge Institute of International Education recently learned that certain data on one of our servers was unsecured to outside cyber-attacks and was subjected to breach. The server at issue was created for a special reporting project outside of our normal development cycle. As soon as we learned about the exposure, we immediately shut down the database. As a further protective measure, we changed all passwords on all servers, and changed all ports. At this time, the company is undergoing a thorough investigation of server activity. We are aware that some personally identifiable information was exposed.
Contrary to media reports alleging that records of over half a million international students were contained on the database, we can affirm that the exact number of students is just below 9,000.
We place paramount importance on our students and partners’ privacy. As a result of the notification of the exposure, we are reassessing all of our data security policies and procedures, and will take all necessary steps to elevate security controls to protect any personal identifiable information. In the meantime, as we learn more, we will continue to provide updates on this page. The company will personally notify those individuals affected after our thorough investigation is completed.