Nearly 50,000 records tied to Encore Support Services, a special education and behavioral health service provider for school children, were discovered by security researcher Jeremiah Fowler, due to a non-password protected database left exposed to the internet.
In total, Fowler found 47,192 items exposed online, or 6.74 GB, of invoices from Encore Support Services. These documents were submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction, and Student Support Special Education Office of New York.
A deeper look at the documents determined the records were invoices belonging to ESS, which has offices in New York, New Jersey and Michigan. After the discovery, Fowler reported the compromise to vpnMentor.
The sensitive student “records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection,” Fowler wrote in a blog post about his findings.
The exposed invoices contained students’ names, contact details, parents’ names, and the service providers’ names, along with other sensitive information. The documents also included the NYC Department of Education Open Student Information System ID number, which is a nine-digit number issued to NYC public school students for use on IDs and transcripts.
The invoices directly described the diagnoses of students, including different codes that could potentially identify the characterization of their need for service or identify medical information about the student. For example, if the individual needed special needs services.
Some of the records were dated as far back as 2018, with some students relying on the described services for multiple years.
The documents also included a host of sensitive information about the vendor, including its EIN or Social Security number tax identification, and billing hours from detailed payment requests.
“The personally identifiable information (PII) of children shouldn’t have been publicly accessible,” Fowler wrote.
At the same time, Encore Support Services is not being accused of wrongdoing. The report’s intent is to identify potential risks of the exposure and means in which attackers could exploit the information.
In a threat actor’s hands, this type of information could be used in targeted social-engineering attacks, fraud or identity theft attempts, and other nefarious activities.
Fowler sent a responsible disclosure notice to Encore Support Services after finding the unsecured database. However, “it’s unclear how long these records were exposed or if anyone else may have had access to them. It is also unclear if parents, school officials, or the proper authorities have been notified of the data exposure.”