A software company that manages applications for academic scholarships, grants and other forms of financial assistance for college students misconfigured a cloud storage platform, leaving millions of records exposed on the open internet, according to research published Monday by UpGuard, a cybersecurity risk management firm.
The company, SmarterSelect, failed to make private a Google Cloud Storage bucket containing 1.5 terabytes of data collected by an array of programs that offer financial support to students — with documents dating from November 2020 to Sept. 29 — around the time SmarterSelect acknowledged UpGuard’s discovery. The bucket contained nine top-level directories, all containing information about the scholarship organizations that use SmarterSelect and about 150,000 PDF files of students’ application materials.
SmarterSelect, which was founded in 2007 after its founder grew frustrated with the paper-based scholarship applications his daughter was filling out at the time, claims on its website that its application management system is now used by as many as 40,000 financial-assistance programs and that more than 1.6 million people have used it to apply for grants and scholarships or review applications.
The application materials contained common pieces of personally identifying information — names, dates of birth, addresses and Social Security numbers — but also essays and personal narratives in which applicants disclose some of the most intimate details of their lives.
“We talked about PII — this is 500 words of deeply personal identifiable information,” said Greg Pollock, UpGuard’s vice president of cyber research. “Sometimes you may need to demonstrate hardship, so you need you and your parents’ financial statements.”
UpGuard’s report into the data leak explains that researchers found that scholarship applications often contained probing details of students’ lives, including experiences of poverty and trauma.
“In addition to the structured data, some files also contained the text of longer documents that had been submitted and reviewed,” the report reads. “These included intensely revealing statements like letters of recommendation and personal essays detailing poverty, physical and sexual abuse, domestic violence, and other personal information.”
Many of the application files that were exposed also included students’ photos, academic transcripts, letters of recommendation and copies of the Free Application for Federal Student Aid, the form that colleges and universities use to determine if students qualify for federal loans and grants. The most recent files also contained information related to students’ COVID-19 vaccination status.
“I understand why this company exists,” Pollock said. “The funding programs would not just be from a university, but an organization like the rotary club in your town. Small organizations want to run a scholarship, but so many applicants are there for it.”
Potential for exposure
Pollock told StateScoop he has no way of knowing if any malicious actor accessed SmarterSelect’s Google Cloud Storage bucket while it was exposed, but that sealing it is a relatively simple fix. He said the configuration settings for Google Cloud are similar to those on Amazon Web Services’ Simple Storage Service, or S3.
“Maybe people have not thought about Google Cloud’s potential for exposure, but the number [of customers] is growing,” he said. “It becomes a relevant surface area to monitor. S3 buckets, done and dusted, everyone knows them. It’s easy to make a bucket and its contents private.”
UpGuard said it discovered an unsecured Google Cloud bucket on Sept. 8 and after a week of analyzing the contents to determine the owner and affected parties, tried to notify SmarterSelect on Sept. 15. After subsequent attempts, SmarterSelect, which appears to have fewer than 15 employees, responded Sept. 30, and by Oct. 5, public access to the storage bucket was removed.
Though the incident was technically straightforward, Pollock said the involvement of a company like SmarterSelect illustrates the complex web of information collected from college students.
“Student data is treated very seriously in this country,” he said, nodding to the Family Educational Rights and Privacy Act. “What was kind of interesting to me about this is it made me think about the other industries in the university business.”