A recent cybersecurity issue has affected a major education software company called SmarterSelect, which is based in the U.S. The exposure leaked personal data of 1.2 million students (from the period November 2020 to September 21, 2021). The incident was reported by TechCrunch.
The incident occurred because of a misconfigured Google Cloud Storage bucket, as detected by the cybersecurity company UpGuard. The type of data leaked included Social Security numbers, proof of COVID-19 vaccinations and descriptions of hardships. In all, 1.5 terabytes of data were exposed. Schools, universities and education providers are prime targets due to the vast quantities of these types of data.
According to Greg Pollock, UpGuard’s vice president of cyber research: “We talked about PII — this is 500 words of deeply personal identifiable information. Sometimes you may need to demonstrate hardship, so you need you and your parents’ financial statements.
At present, it is uncertain if malicious actors have been able to take advantage of the flaw to access personal data.
Looking into the issue for Digital Journal is I wanted to offer expert insight from Keith Neilson, Technical Evangelist at CloudSphere.
According to Neilson the fact that education is a sector that is firmly within the target of malicious actors means that institutions need to take proactive action to stem the cybersecurity risks.
Neilson recommends: “Educational institutions must take a comprehensive approach to cyber asset management to avoid inadvertently exposing the highly personal information of their applicants, students and staff. This includes having visibility into how their data is managed and protected in vendor and partner environments as well.”
In particular, there are important things to avoid doing. Neilson suggests: “Leaving databases exposed without even basic password protection is an all-too-common cause of data leaks but can be avoided.” By addressing these issues then the risks of cyber-incidences reduce. Neilson recommends that: “Organizations must take inventory of the cyber assets hosted within their IT environments and consider leveraging a cyber asset management platform providing holistic, real-time observability to ensure proper security guardrails are in place, at all times.”