Sensitive data of individuals seeking information about higher education institutions was left publicly available on the internet for more than a month.
Sensitive personal information belonging to more than 1 million individuals seeking information about higher education institutions was exposed online earlier this year, EdScoop has learned.
The data — which included names, phone numbers, email addresses, home addresses, high school graduation years and, in a few cases, dates of birth and Social Security numbers — was left publicly accessible for at least several weeks in January and February, according to Chris Vickery, director of cyber risk research at the cybersecurity firm UpGuard.
Gregory Gragg, CEO of Target Direct Marketing (TDM), the lead-generation company that holds and manages the information in question, confirmed the data exposure to EdScoop.
TDM said it has plans to notify anyone affected by the incident. Neither UpGuard nor TDM knows of any malicious or criminal activity related to the data.
The data was all provided voluntarily by people who requested information online about colleges and universities, TDM said. The company would not specify which institutions are its clients.
In total, records associated with 1,097,000 people — dating back to 2005 — were left open on the internet, Vickery told EdScoop.
“Any time you crack a million records, it’s in a noteworthy category,” Vickery said about the data exposure, adding that since the data belonged to potential college applicants and therefore prospective students, “it’s good for the public to know about this one. Flags need to be raised, whistles need to be blown.”
The exposure happened through a common tool called rsync that is used to remotely back up data, allowing users to copy it from one machine to another, Vickery said. Gragg said TDM’s five-person IT team made a change at some point in January that likely created the vulnerability. Researchers at UpGuard could not determine how long the data was exposed prior to their discovery.
In this particular case, TDM did not configure rsync's "hosts allow/deny" functions properly, Vickery said. "Such measures can often be missed," he said, emphasizing how one simple mistake or misconfiguration can make data public. Vickery and UpGuard are known for independently finding such data exposures.
On Jan. 22, Vickery discovered the data, and on Feb. 26, he contacted Gragg and his colleagues at TDM. UpGuard waited more than a month, a spokesperson said, because researchers there didn't have the capacity or resources to intervene on this exposure sooner.
"We must prioritize notification based on our knowledge of
the scope and severity of active exposures," the spokesperson said. "Because the Cyber Risk team cannot
practically notify every organization through our outreach program, we aim to
raise awareness of the causes of data exposure so that data processors and
controllers can secure such sensitive data without our intervention."
'We take it seriously here'
Within an hour of being notified, Michael Schuler, the CIO of TDM — a subsidiary of the Kansas City holding company Blue Chair LLC — secured the exposed rsync port, Gragg said. In fact, Gragg said Schuler “closed that gap” in about nine minutes.
“Any exposure like this is serious, and we take it seriously here,” Gragg said.
To TDM's credit, Vickery said he only sees that sense of urgency in about 10 to 20 percent of data exposure or data breach cases.
"It’s a good response on their part. Once they were notified, they acted on it pretty darn fast,” Vickery said.
Most of the people whose data was exposed had provided personal information to TDM as part of an education-related inquiry; a small number had requested information about the auto industry.
Gragg said about 90 percent of the inquiries TDM receives are education-related. In that same conversation, he said TDM has between 50 and 100 college and university clients, but he later walked that back, saying the number may be closer to 10. Gragg declined to reveal the breakdown of for-profit and nonprofit institutions that use TDM’s services, but he did confirm it’s a “mix.”
About 3,300 individuals had their dates of birth made public during the exposure. Another 400 records — isolated to the auto industry — included Social Security numbers. None of TDM’s education-related contact forms ever ask for Social Security numbers, Gragg said.
TDM has not yet notified the affected individuals, but Gragg said the company is working on it. Following the counsel of an attorney, TDM is first notifying state and federal authorities about the exposure, Gragg said, then it will prioritize people whose Social Security numbers were exposed. Those whose dates of birth were exposed will be next. After that, it will notify the approximately 1,093,000 people who remain.
Though it doesn’t change the magnitude of the exposure, Gragg said most of the people who had records in the database in question were never marketed to by TDM.
“Those were dead lead lists — information requests that never went anywhere, that just died,” he said. “It’s a trashcan that didn’t get emptied. It’s just been sitting there.”