Data Danger: Recruitment Database Leaks 1 million Students’ Details
July 2020 by CyberNews
Recently, leading cyber security news website CyberNews discovered an unsecure Amazon S3 bucket containing almost 1 million high school students’ records and sensitive information.
The data included students’ GPA, ACT, SAT and PSAT scores. There were also unofficial transcripts, messages between students and teachers, student IDs and student details alongside their families’ private data (names, pictures, emails and addresses). The bucket is owned by CaptainU, a college recruitment website aimed at helping student athletes get in contact with university coaches.
CyberNews also discovered images and videos of athletic achievements made by the students, which can lead to drastic effects if the details fall into the wrong hands.
At this moment, it is unclear who had access to the unsecure Amazon A3 server. Some documents date back to 2016, however other images go back as far as 2012. Due to the relative ease of looking through the database, there’s a chance that others have accessed this data too.
Since CaptainU is a private company, and because they willingly handed over academic and personal data, there seems to be little legal consequence.
CaptainU is already fully aware of the extent of the leak but chose to do nothing about it.
CyberNews experts recommend the best course of action that businesses in this situation should take is communicating information to customers and protecting those who would like to disable public access to the files. They should also offer identity theft protection to all users and, of course, issue an official apology for putting the sensitive data of so many young athletes at risk.
Keeping in mind that the students exposed were between the ages of 13-18, CyberNews surveyed 3,204 parents to see how aware families are of the risk of data exposure.
Of the parents surveyed, a worrying 74% believe their children aren’t aware of the dangers of data leaks, while only 26% believe their children are. Children being unaware of these dangers means, much like the minors Cybernews found to have their data leaked, they are exposed to potential phishing campaigns that could entail blackmailing and exploitation.
More than half of parents (52%) have not spoken to their children about data protection and hacking, despite 87% of their children already having access to a smartphone or tablet. Children frequently use online services and have become more tech savvy than ever before, meaning they do not require help or adult supervision.
Only 36% of parents feel equipped with the knowledge to teach their children about internet safety. NSPCC estimates that 90 cybercrimes are recorded every day against children so more than ever, it is important to teach your children about internet safety.
Finding out where your data has been leaked to after a data breach is nearly impossible, especially if it’s sold on a dark web black market where illicit data trades often leave no trace. It’s best to take precautionary steps to secure your data after a data breach.
In a bid to help unaware parents, CyberNews provided these tips:
Introduce parental controls:
Parental controls can help to filter content that is inappropriate or upsetting and can help with controlling your children’s purchases within apps. Parental controls can be used on your home internet devices and even online services such as Netflix and YouTube. Don’t forget to also encrypt sensitive personal data on your own device and use encrypted messaging, email, and file storage services.
Take time to talk to your children and set boundaries on what they can and cannot do online. Let them know the types of sites they can visit, information they can share with third parties and set limits on internet usage to avoid overexposure.
It is becoming more and more common for children to join social media from an early age. Make sure they are of legal age as most apps have an age requirement of 13 - they are a good guide to what is suitable for your children.
Turn on safe search:
Using safe searching engines like DuckDuckGo or Kids-search can help with keeping your children safe. These search engines can prevent your children landing on websites that contain inappropriate content. You should also have two factor authentication enabled on all of their accounts.
The next steps to take are to monitor your online accounts for suspicious activity that you don’t recognize and set up fraud monitoring with your bank or credit institution. However, if you want to be 100% certain that none of the data acquired during a breach will be used against you in the future, you’d have to replace every account and document exposed in said breach”.