The personal information of tens of thousands of students in the United States was recently exposed to unauthorised access after non-profit organisation Get Schooled failed to secure a database that stored their personal, contact, and education details.
Get Schooled is a ten-year-old non-profit organisation that was raised through a partnership between Viacom and Bill & Melinda Gates Foundation to help young students from low-income families, racial minorities, and first-generation college students to pursue higher education and to secure their first jobs.
The organisation has helped more than one million young people over the past ten years through personalised support, institutional partnerships, financial assistance, job advice, and helping young students with college applications and advice on scholarships.
According to British cyber security firm TurgenSec, Get Schooled exposed the personal information of tens of thousands of young people earlier this year when it overhauled its website. The exposure leaked as many as 125 million data records, including 930,000 email addresses as well as the names, gender, age, and graduation details of students.
The data exposure was first detected on 17th November and was closed on 21st December by Get Schooled. According to the Financial Times, the non-profit organisation believes that only 250,000 accounts were exposed, and the exposed data included no more than 75,000 active email addresses, 20,000 phone numbers, and 12,000 mailing addresses.
The exposure of the personal information of thousands, sometimes millions of people as a result of database misconfiguration is becoming more common than before, especially as a result of organisations embracing cloud technologies at a breakneck pace without taking equally quick steps to secure data stored on the cloud.
Earlier this year, a misconfigured Google Cloud Storage bucket belonging to pharmaceutical company Pfizer exposed the personal information of hundreds of prescription drug users in the US as well as transcripts of conversations between users of various Pfizer drugs and the company’s interactive voice response (IVR) customer support software.
Security researchers at VpnMentor discovered the Google Storage bucket when they were conducting port scanning to examine particular IP blocks and test different systems for vulnerabilities. They found hundreds of transcripts of conversations between the company and its customers, and each transcript contained information about prescription drugs being used by customers as well as their full names, home addresses, email addresses, phone numbers, and partial details of their health and medical status.
Anyone with access to the misconfigured bucket could view which prescription drug manufactured by Pfizer was purchased by each customer. The list of drugs mentioned in the transcripts included Chantix, Depo-Medrol, Lyrica, Premarin, Viagra, Advil, as well as cancer treatment drugs such as Aromasin and Ibrance.
"Had malicious or criminal hackers accessed the data stored on Pfizer’s Google Cloud bucket, they could have exploited it in numerous ways, targeting drug users in various fraudulent schemes. Using the PII data revealed in the transcripts, combined with details of medicine prescriptions and usage, hackers could target those exposed with highly effective phishing campaigns," vpnMentor said.