A recent cybersecurity researcher discovered a database containing up to 680,000 records related to educational institutions.
What happened
In a report released to WebsitePlanet, researcher Jeremiah Fowley discovered that a database belonging to the Southern Association of Independent Schools (SAIS) had over 680,000 records that were not password protected.
Fowler writes that in all of his investigations, “this discovery is among the most sensitive data collections I have ever encountered.” Some documents were even marked as “confidential” and contained third-party security reports on school vulnerabilities. Upon discovering the data, Fowler sent a responsible disclosure notice to SAIS. The organization quickly replied, and the database was secured from public access.
Going deeper
SAIS is a non-profit organization supporting schools and educators throughout the U.S. and other countries, including the Caribbean and Latin America.
Included in the database was health information, teacher background checks, Social Security Numbers, active shooter and lockdown notifications, maps of schools, financial budgets, and more. The discovered documents were dated ranging from 2012 to 2023.
Fowler believes that this information, and more, was collected by schools desiring SAIS accreditation. Fowler was able to look at individual students’ protected health information and other data, like emergency contact information.
Why it matters
Fowler notes that the information was highly vulnerable to criminals, who would have been able to apply for loans or credit cards using the school’s name.
While one school data breach would carry its own risks, Fowler was able to gain access to multiple schools and various files containing both school logistics and personal information from one singular database.
According to Fowler, it is unclear how long the data was publicly exposed or if anyone else was able to access the documents during the exposure.
As a note, Fowler implies no wrongdoing on the part of SAIS, but wanted to raise awareness surrounding vulnerable data.
What they are saying
The situation at SAIS should serve as a reminder to all educational organizations regarding the storage of data. Fowler says, “I highly recommend schools, educational institutions, and accreditation organizations take all possible steps to mitigate the risks of a data breach.”
“First of all, they should implement basic cybersecurity measures, such as firewalls, encryption, and multi-factor authentication,” Fowler adds. He also stresses the importance of staff training on best practices for cybersecurity. Lastly, he recommends that staff be trained on incident response in the event of a breach.
While there is limited data specific to school settings, reports in the spring did reveal that healthcare staff often do not implement cybersecurity strategies as they should.
Read more: New survey reveals gap in cybersecurity implementation
The big picture
All schools and academic institutions must comply with data protection laws such as Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protect Act (COPPA). While elementary and secondary schools are generally not required to be HIPAA compliant, many of the HIPAA requirements overlap with existing regulations.
Even if an organization does not need to be HIPAA compliant, the risk of breaches that can impact students, staff, and the school is reason enough to consider additional security measures.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
