Schoolhouse Data Breach
I’ve come across a few recent data breach finds worth noting. The first of which affects approximately 1.3 million students.
Schoolzilla, a student data warehousing platform, made the all-too-common mistake of configuring their cloud storage (an Amazon S3 bucket) for public access. I discovered the bucket after noticing a few other unsecured buckets related to the Tableau data visualization platform. There was an exposed “sz.tableau” bucket, so I started looking for other “sz” iterations. That’s when I came across “sz-backups”, which turned out to be a main repository for Schoolzilla’s database backups.
I downloaded several of the production backups, the largest was titled “Web_Data_FULL” and weighed in at 12 gigs. After loading them into a local MSSQL instance I did some review and concluded that this was most likely real student data and did indeed come from Schoolzilla. The possibility of a false-flag operation is always in the back of my head (a scenario in which an unscrupulous company creates a false data breach which appears to originate from a competitor).
Schoolzilla was quick to respond when I submitted a data breach notification ticket. They secured the data and opened dialogue with me to learn the full extent of the issue. I applaud their incident response. This was the first situation of its kind for them and they reacted professionally. It must have been grueling for the CEO to phone each client and relay the unpleasant news, but they did it within only a few days of my report.
Additionally, Schoolzilla understood the problem and took responsibility. They did not try to shoot the messenger or claim that I had somehow “hacked” them. That’s worth an extra-large gold star on the board for them.
Unlike most reports, I do not have any redacted screenshots to share for this one. The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion. I did however seek guidance from the US Department of Education before overwriting my copies just in case they wanted them preserved for any investigatory purposes. Unfortunately, the Department’s voicemail box is currently full and I could not leave a message.
A message from Schoolzilla’s CEO regarding the situation can be found here: https://schoolzilla.com/commitment-information-security/
Information for editors:
The Kromtech (MacKeeper) Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the Kromtech Security Research Center a reputation as one of the fastest growing cyber data security departments.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
For more information get in touch with us at: firstname.lastname@example.org