California Virtual Academies (CAVA) is a network of 11 publicly funded charter k-12 schools in California. Researcher Chris Vickery recently contacted DataBreaches.net after he found a database with 58,694 of their students’ records leaking. In addition to a lot of personal information on the students that was all in plain text, the leaking data included some information on student disabilities and special education needs, services, and goals – again, all in plain text.
Here are redacted screencaps from two of the directories, just to give you an idea of what kind of information was vulnerable to access. The first screencap is from a case notes directory and has information about a therapy session with service provider:
Another directory contains special education profiles that contain the student’s date of birth, gender, ethnicity, grade, whether they have an I.E.P. (Individualized Education Program) and if so, what the goals are. There is also a section if the student has a 504 plan, and if so, what the reasons are for it. The profile also indicates whether the student is on a reduced fee or free lunch program. Social Security numbers do not appear to be included in this directory:
Yet another file, a spreadsheet, includes students’ full names, gender, birthday, school of attendance, grade, their Student Id, Special Education status, their teacher’s names, and their teacher(s)’ contact information. The matching of the student ID number to the full name has privacy implications for aggregating or matching other data.
According to CAVA’s web site, the students’ records are covered by FERPA.
Employee Payroll Data Also Leaked
The database also contains employee information on what Vickery estimated as approximately 17,000 employees: first and last names, email addresses, Social Security numbers, and payroll information – all in plain text. Curiously, encrypted passwords were immediately followed by the passwords in plain text:
When contacted by Vickery about the exposure, CAVA responded promptly and ensured their database was secured.
DataBreaches.net requested a statement from CAVA asking for how long these data were exposed, whether the data had been accessed by anyone other than Vickery, and whether they intended to notify parents of students and employees.
Jeff Kwitowski, a spokesperson for k12, CAVA’s education and technology provider, informs DataBreaches.net that CAVA’s database was on the server of a third party vendor who was responsible for it. Schools can contract with k12 for infosecurity services or independently contract with another provider. In this case, CAVA did not contract with k12 to manage and secure its database. According to Kwitowski, when Vickery contacted CAVA, CAVA immediately contacted k12, and although k12 was not responsible for the security of the database, k12‘s IT department immediately did their due diligence, confirmed the leak, and contacted the third party contractor to alert them. k12 IT personnel also investigated to determine whether any other schools they provide services to might also have databases at risk.
At the time of this posting, the unnamed contractor is reportedly auditing the system to identify any unauthorized IP addresses that may have gained access, and is also running additional security checks. It is not yet clear for how long the student and employees’ information may have been vulnerable, nor whether any other clients of the unnamed contractor may have been similarly affected. DataBreaches.net has submitted a public records request to CAVA for a copy of their contract with the third-party vendor responsible for securing their database.
“Data security is paramount,” Kwitowski tells DataBreaches.net. “k12and CAVA will continue to investigate, collect more information, and notify affected individuals as needed.”
This post will be updated as more information becomes available. Great thanks to Chris Vickery for alerting me to this leak.