Transcript Site Reports VulnerabilityInfo on Those Seeking School Records May Have Been Exposed
A security vulnerability at the high school transcript request website NeedMyTranscript.com may have exposed the personal information of about 100,000 people.
In a brief statement on its website, the company says that it became aware of a specific vulnerability in the security of some of its files. "We fixed that vulnerability within hours, ordered a security scan by our host provider to confirm that no malware was installed, and hired an experienced cybersecurity firm to investigate and assist with security," the statement says.
NeedMyTranscript, based in Charlotte, N.C., facilitates high school record requests in all 50 states, covering more than 18,000 high schools, according to its website.
The incident came to light in a report by the Washington Post. According to the report, after signing into the site, a user encountered an error message containing a link to a publicly available subdirectory on the website, which contained links to the data of almost 100,000 individuals.
An analysis by the Post suggests that the incident may date back to the site's creation in February 2012. Data included in the subdirectory that may have been exposed includes names, addresses, e-mail addresses, phone numbers, dates of birth, mothers' maiden names and the last four digits of the users' Social Security numbers, the Post says.
NeedMyTranscript says in its statement that no malware was found on its systems, and that it does not believe any customer information was inappropriately accessed, although the investigation is ongoing.
The company says it does not store customer high school transcripts, credit card numbers or full Social Security numbers on its website. "Although we don't believe that you are at risk of harm as a result of this vulnerability, we still recommend that all of our customers use good judgment in not responding to e-mails or other inquiries by those posing as a financial institution or other entities seeking your personal information," NeedMyTranscript says.
The company declined to comment beyond its statement.