Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Unsecured. Show all posts

Personal Data of 30,000+ Students Disclosed in Unsecured Database

 

The security experts at SafetyDetectives reported that the private details of over 30,000 students were discovered on an inadequately secured Elasticsearch server. 

According to the researchers, the server was left linked to the Internet and did not require a password to retrieve the data contained therein. It disclosed more than one million records including personally identifiable information (PII) of 30,000 to 40,000 students. 

As per the report, the exposed data included complete names, email addresses, and phone numbers, as well as credit card information, transaction and purchased meal specifics, and login information saved in plain text. According to SafetyDetectives, the badly protected server was being upgraded at the time it was discovered, and server logs revealing student data were also discovered. 

The 5GB database looked to contain information about students who have Transact Campus accounts, according to the researchers. Because Transact Campus partners with higher education institutions in the United States, the most of affected students are citizens of the United States. 

Transact Campus offers an application that students may use to make payments and purchases using a unique personal account (called Campus ID), as well as for activities such as event access, class attendance tracking, and more. The researchers were unable to identify whether malicious actors had access to the unsecured database before it was protected. They do, however, warn that if criminal actors did get the data, the afflicted students may be subjected to a variety of assaults, including phishing, spam marketing, and malware. 

As per SafetyDetectives, they alerted Transact Campus about the unsecured server in December 2021 but did not obtain a response until January 2022, despite also contacting US-CERT. Although the information had previously been safeguarded at the time, Transact Campus refuted responsibility for the breach.

“Apparently, this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data,” Transact Campus told SafetyDetectives. 

The researchers, on the other hand, informed SecurityWeek that they examined a sample of the data discovered on the site and believe it belongs to real individuals. 

“We use publicly available tools to perform random searches for the people exposed and see if they actually exist. We, of course, performed this process when we discovered this server and found out that the data seemed to belong to real people,” SafetyDetectives stated. 

When contacted by SecurityWeek, Transact Campus stated that they promptly initiated an investigation into the breach after learning of the exposure. The exposed information was discovered to belong to a third party, according to Chief Information Security Officer Brian Blakley, and none of Transact's systems was accessed without authorization. 

When asked if the possibly impacted students had been notified in any manner about the data breach, Blakley advised SecurityWeek to contact Sodexo, which appears to be accountable for the hack. 

“Sodexo in conjunction with its payment provider for dining services, Foundry, provided a Notice of Data Breach to impacted clients and users explaining the incident,” he said. 

Sodexo is a global provider of food, facilities management, and home and personal services. SecurityWeek reached out to the organisation for further information on the incident but has yet to get a reply.