Doug Levin has a write-up on the Total Registration data security incident first reported by this site.
Doug raises a number of important issues and comments, and I hope his commentary gets wider coverage and discussion.
I’m still mulling over the fact that a few of the school districts that this site attempted to notify did not respond to emailed notifications. Did they contact the vendor to find out more, or did they do nothing? Did they even read the notifications?
If there’s no press release or disclosure about the incident, I may go through the data I received from the researcher and see if I can compile a list of all the districts or schools that had data unsecured on the day the researcher found the exposed database. It won’t be complete as we don’t know for how long the database had been exposed and whether other data had been exposed but had rolled over.
And as of this morning, I just sent notification, via their web site, to a school district in Illinois, where I found data from students at four of their high schools exposed. Using their web site, I uploaded screenshots of exposed data. Let’s see what they do, if anything.