Student Data Breach: 1.2M Records Exposed

Data Breach Exposes Sensitive Information of Scholarship Applicants

SmarterSelect, a company based in the United States specializing in scholarship application management software, experienced a data exposure incident. This resulted from a misconfigured Google Cloud Storage bucket, potentially compromising the personal data of numerous applicants.

Details of the Data Spill

Cybersecurity firm UpGuard discovered the data spill. It encompassed 1.5 terabytes of data gathered from various financial aid programs for students. The exposed data spanned applications submitted between November 2020 and September 21, 2021, and related to approximately 1.2 million applications.

SmarterSelect reports having served a total of 1.6 million individuals to date.

Contents of the Exposed Data

Analysis by UpGuard revealed one publicly accessible folder containing 23,000 spreadsheets and 8,000 ZIP files. These files held applicant contact details, including names, email addresses, and phone numbers.

Furthermore, the data included sensitive personal information such as parents’ educational backgrounds and income levels, student academic performance, and details regarding personal hardships.

Highly Sensitive Documents Included

The exposed data also contained more extensive documents. These included letters of recommendation and personal essays. These essays often detailed experiences with poverty, physical and sexual abuse, and domestic violence.

A separate directory, comprising 2.79 million files, contained even more sensitive applicant data. This included student photographs, financial documents like FAFSA forms (some containing full Social Security numbers), proof of COVID-19 vaccinations, and descriptions of personal hardships.

Timeline of Discovery and Remediation

UpGuard initially alerted SmarterSelect to the breach on September 15th, followed by a second notification on September 27th. The company acknowledged the issue on September 30th.

Public access to the exposed bucket was revoked on October 5th. The extent to which malicious actors may have accessed the data during the exposure period remains unknown.

Implications and Risks

UpGuard emphasized that this incident highlights the inherent risks associated with collecting and storing sensitive data. This is particularly relevant for vulnerable populations like college students.

The university application and funding process necessitates that students share detailed personal information across a complex network of institutions.

The Need for Detailed Personal Accounting

Programs designed to assist disadvantaged students, and especially those focused on helping individuals with the greatest needs, require a comprehensive record of personal circumstances.

Current Status and Lack of Notification

As of now, it is unclear whether SmarterSelect has notified affected individuals about the breach. It is also uncertain if they have informed relevant state attorney general offices, as required by data breach notification laws.

TechCrunch reached out to SmarterSelect for comment but has not yet received a response.