Thanks to a flaw in Web site configuration, The Princeton Review, a test-preparatory firm, published more than 100,000 student records online. According to the New York Times, anyone who typed in a relatively simple Web address had access to hundreds of files on the company’s network, including educational materials and internal communications.
Student records exposed because of configuration error. (IMG:J.Anderson)
The reasoning is said to be the result of the company changing Internet providers earlier this year, exposing the confidential data for seven weeks. The Princeton Review's Web site exposed the DOB (date of birth), test scores, and ethnicity of 34,000 students in Florida, after a county in the state hired The Princeton Review to measure academic progress.
In addition, another file revealed the dates of birth and names of 74,000 students in Virginia.
"As soon as I found out about this security issue we acted immediately to shut down any access to this information," said Stephen C. Richards, the company’s chief operating officer, to the NYT. "The Princeton Review takes Internet privacy seriously, and we are currently conducting a review of all of our procedures."
However, that task is easier said than done, as most of the information was available on various search engines for some time (Google). Proprietary information was exposed as well, according to the Times report.
"In addition to the information on students, the site contained the Princeton Review’s educational materials for the LSAT, PSAT and SAT exams, course schedules, an internal analysis of the effectiveness of the company’s instructors, and the entire texts of some Princeton Review books."
"This should be a very embarrassing incident for The Princeton Review and should be a good example for other organizations of what could happen if information security is not managed well in throughout the business," wrote Evan Francen on The Breach Blog.
The killer twist to this story is that the data breach was discovered and exposed by a competitor of The Princeton Review as it conducted competitive intelligence.
"If you need any encouragement to make sure that your house is in order and your data secure, and the threat of identity thieves isn't enough for you, then maybe the thought that a business rival might take your blunder to the press will do it," added Graham Cluley, senior technology consultant for Sophos.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story