The data of 1.3 million K-12 students was compromised after being exposed on the student warehouse platform Schoolzilla.
In early April, MacKeeper Security Researcher Chris Vickery spotted names, addresses, birthdates, test scores, and even some Social Security numbers while scanning the web for common misconfigurations in Amazon cloud storage devices (Amazon S3 buckets), according to an April 19 blog post.
“There was an exposed ‘sz.tableau' bucket, so I started looking for other ‘sz' iterations,” Vickery said. “That's when I came across ‘sz-backups', which turned out to be a main repository for Schoolzilla's database backups.”
Schoolzilla is a K-12 data platform used by school districts to track and analyze data.
Vickery said the firm took responsibility for the problem and applauded their incident response and willingness to work with him to patch the issue.
Although it is unclear exactly which schools were affected by the incident Palo Alto United School District (PAUSD) confirmed that it had been affected and has since informed those affected..
These incidents are alarming and Ilia Kolochenko, chief executive officer of web security firm, High-Tech Bridge, told SC Media that government regulation may be needed to help keep incidents like this from happening.
“In Europe, the upcoming GDPR is trying to address this problem, however its practical enforceability and the real outcomes are still unclear,” Kolochenko said. “Governments should impose more regulations together with various educational initiatives, as we cannot just demand strong security without assisting and explaining how to achieve it.”
