College Recruitment Database Leak

A database containing personal information of nearly a million students was found leaked.

Description

In July 2020, an Amazon S3 (Simple Storage Service) database, containing nearly 1 million records of sensitive high school student academic information was found unsecured. ^Insecurity

The unsecured bucket seemed to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs.

Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials. The data also included following personal information: GPA scores, unofficial transcripts, ACT, SAT, and PSAT scores, student IDs, student and parent names, addresses, phone numbers, and some email addresses, camp schedules, and other coaching-related documents.

The data leaks concern minors (being high school students) aged 13-18.

Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available”. But it seems that CaptainU never mentioned this fact to the students or their parents. This is an example of Increased Accessibility.

High school students in the United States are protected under various laws, while students in general have their academic records protected under the Family Educational Rights and Privacy Act (FERPA).

Laws and Regulations

Family Educational Rights and Privacy Act

Sources

https://cybernews.com/security/college-recruitment-database-leaking-nearly-1-million-students-gpas-sat-scores-ids-and-other-personal-data/