A website that helps students obtain past transcripts might have exposed the personal information of close to 100,000 users. At least one user was able to access the information after a flaw in NeedMyTranscript.com's design led to a site subdirectory, according to The Washington Post. The transcript site covers more than 18,000 high schools in all 50 states.
How many victims? 98,818
What type of personal information? Names, addresses, email addresses, phone numbers, dates of birth, mothers' maiden names, the last four digits of users' Social Security numbers, and in some cases, the names of organizations at which users were applying for jobs
What happened? The website appeared to have a flaw in its design that allowed at least one user to view a publicly available subdirectory that contained the data. The user arrived at the subdirectory after receiving an error message.
What was the response? NeedMyTranscript fixed the vulnerability, executed a security scan with coordination from its host provider and hired a cybersecurity firm to investigate the incident. No malware was found on the site.
Details: The Washington Post notified the transcript provider of the site flaw, but according to the paper, the company denied that the personal information was publicly accessible. Now, however, the site is fixing the issue.
Quote: “Please be assured that, as part of our ongoing efforts to protect our customers' information, NeedMyTranscript does not store customer high school transcripts, credit card numbers or full Social Security numbers on our website,” according to a notice posted on NeedMyTranscript.com
Source: needmytranscript.com, “Notice to our customers;” washingtonpost.com, The Washington Post, “Personal information of almost 100,000 people exposed through flaw on site for transcripts,” Oct. 21, 2014.