The student admissions site recently fixed a large security vulnerability.
What happened
Ravenna Hub, a website that allows parents to apply and track application status to thousands of schools, recently fixed a bug that exposed numerous children's personal information, as well as their parents’. While the exact number of victims has not been confirmed, a news source estimates that over one million student applications, and the parent data within them, may have been accessed. Another news source, The Tech Buzz, provided much lower estimates, believing the numbers may only be in the thousands.
Child data exposed included children’s names, dates of birth, addresses, pictures, and details about their schools. Parent or guardian data exposed included email addresses and phone numbers. In some cases, data related to siblings may have also been exposed.
Going deeper
So far, neither Ravenna Hub nor its parent company, VenturEd Solutions, which develops and maintains the site, have spoken about the incident, which was first discovered by TechCrunch on February 18th. The bug was fixed on the same day. TechCrunch contacted the chief executive of VenturEd Solutions, Nick Laird, about the incident. Laird said the incident was being investigated, but would not provide further details.
In the know
TechCrunch determined that the specific vulnerability impacting Ravenna Hub was an insecure direct object reference (IDOR), a common flaw that allows users to access stored information because of weak or non-existent security controls on the servers. TechCrunch further explained that “the bug allowed any logged-in user to access another student’s data, including personal information, by modifying the unique number associated with a student’s profile using their web browser’s address bar.”
The big picture
This incident marks the second large security lapse in student data this year. In January, online mentoring site UStrive faced a security flaw that may have impacted up to 1.1 million high school and college students.
Unlike with healthcare data breaches, breaches involving students are subjected to different laws. The Family Educational Rights and Privacy Act (FERPA) does not explicitly require parents to be notified of data breaches. However, most states have notification requirements when personal data is compromised. Colleges are also required to report breaches to the U.S. Department of Education under certain circumstances.
The varying reporting laws can make educational data breaches more difficult to track on the national scale, but organizations still have an obligation to comply with FERPA’s data protection requirements. Paubox specializes in providing email encryption tools to educational institutions, preventing accidental breaches and flagging potentially malicious emails before they reach staff or students.
FAQs
Why don’t we know the exact number of impacted data?
Currently, Ravenna Hub isn’t required to report the exact number of impacted individuals to any national database. All information about the number impacted are estimates based on the size of Ravenna’s user database.
Can educational institutions also face class action lawsuits?
Yes. Class action suits usually allege that the breach resulted in pain and suffering for victims or monetary losses. If victims believe they were negatively impacted by this breach, they may seek legal representation.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Abby Grifno
