Get Schooled, a New York-based charity suffered a data exposure that left records related to hundreds of thousands of students in an unsecured AWS bucket that was open and accessible from the internet.
The exposure was first identified by TurgenSec, a security firm based in the United Kingdom, that received a submission from an anonymous third-party that contained data claiming to be from a misconfigured AWS storage bucket used by Get Schooled. The authenticity of the exposure was eventually confirmed by TurgenSec security analysts, and they notified the nonprofit on November 18. Get Schooled has confirmed the exposure to SC Media and other outlets and that the misconfiguration was fixed on Dec. 21 before staff left for the holidays.
Get Schooled was started in 2009 and provides educational resources, research and assistance to students during the college application process, their university tenures and post-college job hunting. The exposed data included details related to students who engaged with the nonprofit, including names, emails, age, gender, their high school or college and graduation data. In some cases, physical addresses and phone numbers were also exposed.
TurgenSec estimated the number of affected individuals could be more than 900,000, but that figure has been disputed by Get Schooled. In an interview, John Branam, the organization’s executive director, confirmed the issue was related to a misconfigured AWS bucket but said the real number of affected individuals was closer to 250,000. He said TurgenSec didn’t de-duplicate the data they received and as a result were likely counting hundreds of thousands of duplicate email addresses. A TurgenSec spokesperson said it was possible the true number of affected individuals was lower.
Branam also downplayed the value of the data that was exposed, saying it did not contain any Social Security numbers, birth dates or financial information of impacted individuals. While other data, like email addresses for students who engaged with the nonprofit and “some” physical addresses were included, he said the vast majority were outdated or tied to accounts that students had with their former high schools that are either no longer active or purged from school systems upon graduation.
“This is unfortunate, we’re not debating that and we take responsibility for it,” he said. “Mistakes do happen, but in this case the vast majority of this data is irrelevant and in cases where there is some relevancy in terms of young people that still engage with Get Schooled, at most you’re largely talking about slight potential for spam increases.”
Branam said the organization has notified affected individuals and have not yet heard any reports or concerns about identity theft or spam increases that would indicate widespread malicious use of the exposed data. They’re also engaging with a third-party security vendor to examine their security posture. While TurgenSec says it got the data from an anonymous third-party (who presumably accessed it), Branam said his organization doesn’t have evidence proving or disproving that any unauthorized access of the data took place.
While it initially launched with backing from the Bill and Melinda Gates Foundation, Viacom AT&T and Capital One, Branam stressed that the outfit remains a small nonprofit with limited budget and staff. Get Schooled had a budget of just over $2 million in 2018 and 2017, according to Charity Navigator, which advises its users that they can "Give with Confidence" largely due to the non-profit's financial transparency and low administrative overhead."
They currently have 12 employees, and IT and cybersecurity work is often handled by those on staff with other job titles and responsibilities, not an uncommon reality in the non-profit world. According to DonorBox, small non-profit organizations can make attractive targets for hackers both because they may have valuable data on donors and because resources are so limited that cybersecurity often falls by the wayside. Branam said donors are usually looking to give money for specific missions or programs within an organization, and budget line items for improving cybersecurity typically don’t receive much financial support.
Ironically, he said the delayed response addressing the misconfiguration was in part due to concerns over cybersecurity. Staff felt the tone of the initial email from TurgenSec seemed “off” and there were concerns it could have been a phishing attempt. They were eventually able to confirm the misconfiguration and address it. He said he is trying to toe the right line between not appearing dismissive of the exposure while also not exaggerating its impact.
“In this particular case, it was a very small mistake but of course in the digital world, small mistakes can expose lots of data,” he said. “I don’t have grave concerns about our practices but I do think the opportunity here is to learn and get better.”
The Financial Times first reported on the data exposure.