Sensitive personal information belonging to more than 1 million individuals seeking information about higher education institutions was exposed online earlier this year, EdScoop has learned.
The data — which included names, phone numbers, email addresses, home addresses, high school graduation years and, in a few cases, dates of birth and Social Security numbers — was left publicly accessible for at least several weeks in January and February, according to Chris Vickery, director of cyber risk research at the cybersecurity firm UpGuard.
Gregory Gragg, CEO of Target Direct Marketing (TDM), the lead-generation company that holds and manages the information in question, confirmed the data exposure to EdScoop.
TDM said it has plans to notify anyone affected by the incident. Neither UpGuard nor TDM knows of any malicious or criminal activity related to the data. The data was all provided voluntarily by people who requested information online about colleges and universities, TDM said. The company would not specify which institutions are its clients. In total, records associated with 1,097,000 people — dating back to 2005 — were left open on the internet, Vickery told EdScoop.
“Any time you crack a million records, it’s in a noteworthy category,” Vickery said about the data exposure, adding that since the data belonged to potential college applicants and therefore prospective students, “it’s good for the public to know about this one. Flags need to be raised, whistles need to be blown.”
The exposure happened through a common tool called rsync that is used to remotely back up data, allowing users to copy it from one machine to another, Vickery said. Gragg said TDM’s five-person IT team made a change at some point in January that likely created the vulnerability. Researchers at UpGuard could not determine how long the data was exposed prior to their discovery.
In this particular case, TDM did not configure rsync's "hosts allow/deny" functions properly, Vickery said. "Such measures can often be missed," he said, emphasizing how one simple mistake or misconfiguration can make data public. Vickery and UpGuard are known for independently finding such data exposures.
On Jan. 22, Vickery discovered the data, and on Feb. 26, he contacted Gragg and his colleagues at TDM. UpGuard waited more than a month, a spokesperson said, because researchers there didn't have the capacity or resources to intervene on this exposure sooner.
"We must prioritize notification based on our knowledge of the scope and severity of active exposures," the spokesperson said. "Because the Cyber Risk team cannot practically notify every organization through our outreach program, we aim to raise awareness of the causes of data exposure so that data processors and controllers can secure such sensitive data without our intervention."
Within an hour of being notified, Michael Schuler, the CIO of TDM — a subsidiary of the Kansas City holding company Blue Chair LLC — secured the exposed rsync port, Gragg said. In fact, Gragg said Schuler “closed that gap” in about nine minutes.
“Any exposure like this is serious, and we take it seriously here,” Gragg said.