We often comment how no industry is immune from data breaches. That would include educational institutions and their vendors, as this story reminds us.
Schoolzilla, a student data warehouse platform based in California was alerted by security researcher Chris Vickery this month that while he was scanning the Internet for Amazon S3 buckets, (which is a misconfiguration in Amazon cloud storage devices), he came across a storage device that included a database that contained the personal information, including some Social Security numbers and test scores of 1.3 million K-12 students in the United States.
When he found the database and realized the content, he alerted Schoolzilla about the problem, and it reacted quickly and corrected the issue within 24 hours. Schoolzilla stated that as soon as it was alerted, it fixed the error and confirmed that no one except for Vickery had accessed the database.
We are all grateful to have security researchers like Chris Vickery alerting companies about vulnerabilities. But proactively making sure that these errors don’t happen in the first place is key to a security program—especially when dealing with the data of minors and students.