US education software company exposed personal data of 1.2 million students – TechCrunch

SmarterSelect, a US-based company that provides software to manage the scholarship application process, exposed the personal data of thousands of applicants due to an improperly configured Google Cloud Storage bucket.

The data dump, discovered by cybersecurity firm UpGuard, contained 1.5 terabytes of data collected by a number of programs that provide financial support to students. The data included documents such as transcripts, resumes and invoices for approximately 1.2 million funding program applications, dated November 2020 through September 21, 2021. SmarterSelect’s website says it has served 1.6 million people to date.

A folder hosted on the public bucket hosted 23,000 spreadsheets and 8,000 ZIP files, according to UpGuard’s analysis. For applicants, these files contained contact information like name, email address, and phone number, along with much more in-depth details like their parents’ education and income, student performance. at school and personal experiences such as living with a host family or abusive situations.

Some files also contained longer documents such as letters of recommendation and personal essays detailing poverty, physical and sexual abuse, domestic violence and other personal information, UpGuard said.

Another directory, which contained some 2.79 million files, contained even more sensitive data on applicants. This includes photos of the students when required for the application, financial documents such as the Free Federal Student Aid (FAFSA) application forms which in some cases included full Social Security numbers, proof of COVID-19 vaccinations and descriptions of the difficulties.

UpGuard first notified SmarterSelect of the violation on September 15 and then again on September 27. The company acknowledged the warning on September 30, before revoking public access to the compartment on October 5. It is not known if malicious actors accessed the data while it was exposed.

“The contents of the bucket are also reminiscent of the risks of collecting and storing sensitive data, especially for populations like students,” said UpGuard. “The process of applying, participating and securing funding for university education requires young people to provide detailed information about themselves to a complex institutional supply chain.

“Even well-intentioned programs aimed at helping students disadvantaged by circumstances beyond their control – in fact, particularly programs which seek to help those most in need – require a detailed account of the facts of life. “

It is not yet clear whether SmarterSelect has notified those affected by the breach, or whether it has alerted the relevant state attorney general offices in accordance with the Data Breach Notification Act. TechCrunch asked SmarterSelect for comment but did not get a response immediately.