NYC Special Needs Students' Records Found Exposed on WebResearcher Says Database Containing Nearly 50,000 Documents Appears Secure Now
Tens of thousands of documents containing personal information of special education students within New York City's public school system were held in an unsecured database exposed to the internet.
Researcher Jeremiah Fowler of security services firm Security Discovery told Information Security Media Group he found the unsecured database in mid-February and immediately notified Encore Support Services, the apparent owner of the database. The database has since been secured, Fowler said.
Neither Encore nor the New York City public school system immediately responded to ISMG's requests for comment on Fowler's findings and for additional details, including whether the incident would be reported to regulators as a data breach.
The exposed documents were billing invoices submitted by Encore - a provider of education and behavioral health services to children ages 5 and up with special needs such as autism - to a unit of the New York's public school system responsible for specialized instruction and educational services.
Information contained in the invoices included student and parent names, addresses, types of services students received, length of sessions, and costs.
Some of the approximately 47,200 records contained in the 6.74-gigabyte database appear to pertain to some of the same students who received various services from Encore over multiple years, as far back as 2018, Fowler said. That made it difficult for him to conclude how many individual students' information was potentially exposed.
Also unclear is how long the documents were left unsecured on the database and how the incident occurred, he said.
"Often, companies and organizations will upload records or documents in a general storage database and then create non-password-protected links to an individual image assuming that it is safe, when it is not," Fowler said. "This link to the document could be accessible to parents or the individual employee in a private email or user account. The problem with this method is that someone who has that link can see the name and location of the database and access all of the records," he said.
It is "a major security flaw" for sensitive or health-related data to be shared this way, Fowler said. "The fact that the records were still there and not wiped out by ransomware tells me they were most likely not exposed for very long."
Security firm Emsisoft recently reported that 45 U.S. school districts operating 1,981 schools were affected by ransomware attacks in 2022.