Vendor used by schools to register students for AP and PSAT exams left personal information of thousands students unsecured

A school contractor that provides online registration so students can sign up for AP and PSAT exams misconfigured their cloud storage, exposing students’ and parents’ personal information.

A number of school districts or schools contract with a firm in Colorado called Total Registration, who, according to their web site, registered more than 525,000 students from more than 1,220 schools in 2018.

In early April, DataBreaches.net was contacted by a researcher who had discovered that Total Registration had failed to secure their Amazon bucket, leaving student and parent information exposed in plain text, without any password required to access it.

DataBreaches.net reached out to the firm to notify them, and received an acknowledgement that the problem had been taken care of.  But the firm did not respond when this site subsequently sent them an inquiry as to whether they were notifying any students or their client school districts about the exposure.

In the absence of an answer about notification, DataBreaches.net took a closer look at what was in the files provided to this site by the researcher.

One type of file was mail merge spreadsheets.  Cursory analysis of those files showed that they contained students’ last and first names, their student ID number, their email address (which in many cases was a school-issued email address), their parent’s email address, their telephone number, their postal address, the AP exams they were registering to take, as well as when the exam would be and who was proctoring it.

In the mail merge files,  there was data for almost 13,000 students from Chandler School District in Arizona, St. Vrain Valley School District in Colorado, Community High School District 117 in Illinois, Utica Community Schools in Michigan, Edina Public Schools in Minnesota, Wake County Public Schools in North Carolina, Wausau School District in Wisconsin, Fox Chapel Area School District in Pennsylvania, Cherokee County School District in Georgia, Woodland Joint Unified School District in California, Pflugerville Independent School District (ISD) in Texas, Cypress Fairbanks ISD in Texas, Friendswood ISD in Texas, Midway ISD in Texas, RoundRock ISD in Texas, Lewisville ISD in Texas, Duncanville ISD in Texas, and Garland ISD in Texas.

And that was just the mail merge files. There were hundreds of other files that each contained data on hundreds of students. Some of the students with data in the other files were from the districts named above, but there were students from hundreds of other districts throughout the country as well, as the partial list below suggests:

Partial listing of files unsecured bucket.

Some of the files contained students’ date of birth, as well as additional demographic information on students and their parents.  A quick analysis of files in one directory returned approximately 300,000 unique email addresses. If there were two email addresses for each student (one the student’s and one their parent’s), that would suggest that there were approximately 150,000 students’ whose data may have been in the unsecured files.

DataBreaches.net redacted a registration confirmation file for a student from Miller Place School District in New York. As you can see, the form contained information about the student and parents:

AP_exam_registration_confirmation_Redacted
 

Miller Place School District was sent a notification and inquiry on May 7, but did not respond.

DataBreaches.net sent email notifications to a few other school districts as well, inquiring whether they had been notified of any potential leak by the vendor, and providing them with some student data from the exposed files that they could use to verify whether the data was indeed, student data.  DataBreaches.net got no response from the few schools this site emailed, but did get an immediate response to a voicemail left for St. Vrain Valley School District in Colorado.  Kudos to them for their prompt response.

If you are the parent of a student who signed up for an AP test, the PSAT, or an IB examination in April, you may want to inquire whether your child’s school used TotalRegistration.net as their vendor for the sign-ups.  From my brief analysis of the exposed data, it appears to be a time-limited database, i.e.,this is not a cumulative database with past records, but just contained registrations for then-upcoming tests.

About the author: Dissent