700,000 Sensitive Teacher, Student Records Exposed on WebResearcher Says Hackers Could Have Seen Salary Info, Child Abuse Reports and More
A security researcher recently found a database exposed to the internet containing sensitive information on independent school students and faculty including financial data, salaries, professional details, health information and child abuse reports.
The unprotected database of the Southern Association of Independent Schools affected about 700,000 records and potentially nearly as many - or even more - people, said Jeremiah Fowler, security researcher and co-founder of security services firm Security Discovery, in a report released Thursday.
Fowler immediately notified SAIS, and the Norcross, Georgia-based group quickly addressed the issue, securing the database, he said.
"There is really no way to know how long it was exposed or who else may have had access to the data," Fowler told Information Security Media Group. "Only a forensic audit would identify this, and they obviously wouldn't share that information with me or the public. However, I could not find any record where they notified or announced there was a data breach."
SAIS touts itself as the country's largest regional independent school association, with nearly 400 member schools in grades K-12 across 16 U.S. states, the Caribbean and Latin America, representing more than 227,000 students.
Documents contained in the database ranged in date from 2012 to 2023 and included a wide variety of highly personal and sensitive records, Fowler said.
That includes multiple types of student records, such as medical history, immunizations, and allergy information, child abuse reporting forms and documents requesting accommodation for special needs. Exposed faculty and school information includes teacher background checks, professional development details, Social Security numbers, salary and financial budgets - as well as active shooter and lockdown notifications and maps of schools.
"This was one of the most sensitive databases I have seen in a very long time," Fowler told ISMG.
The database, in a cloud storage repository, was misconfigured to be non-password-protected and publicly accessible, he said. "It appeared to be their primary server," he said, and a vendor configuration was not the cause of the exposure.
The database, which contained 682,438 records and had a total size of 572.8 gigabytes, included multiple document formats, including PDF, Excel, PPTX, doc, docx, png, jpg and more, Fowler said.
Because any single document contained "a massive amount of information," he said it is difficult to estimate the exact number of individual schools, faculty, students and others potentially affected by the unprotected database.
"There were references to the database being a production environment. This was most likely all of the supporting documents required for accreditation," he told ISMG.
"This breach affected a very large number if not all of the schools. They require a limited number of documents for accreditation from each school so the total number could realistically reflect all schools, based on the total size."
The most concerning records exposed included student information, Fowler told ISMG. "Children's data is extremely sensitive because they have no established footprint. Health data, unlike credit history, is forever. A child with a medical condition will likely have this issue for the rest of their lives."
Also troubling were unprotected details pertaining to individual schools, he said. "Safety and security data is highly sensitive when you have an exposed report of a school's weaknesses and vulnerabilities, maps and images. It could be a step-by-step plan for domestic terrorists or a school shooter to bypass physical security measures."
Finally, compromised personal information such as names, birthdates and Social Security numbers potentially could put individuals at risk of identity theft and other crimes, he said.
In the past, Fowler has discovered other unsecured databases containing sensitive records exposed on the internet, including a database he found earlier this year that contained tens of thousands of documents pertaining to special education students within New York City's public school system (see: NYC Special Needs Students' Records Found Exposed on Web).
Still, the diverse variety of documents contained in the exposed SAIS database was especially worrisome, he told ISMG. "This is one of the most extreme examples of a wide range of data I have seen in years. This is not common to have so many diverse records in one place."
SAIS declined ISMG's request for comment, including on whether the association plans to report the incident to affected individuals or regulators.