The Cambridge Institute Exposed DatabaseBack to blog
Boston-based educational consulting firm exposed personal information of thousands of international students and hosting homes.
The MacKeeper Security Research center experts have discovered and helped to secure a publicly available, non-password protected database containing more than a half of a million records on international students and info on 12 thousands host families and housing information.
The database (found via Shodan search and hosted on an Amazon cloud IP) appeared to be part of The Cambridge Institute of International Education (CIEE), a Boston-based educational consulting firm that increases international participation in American private high schools and strengthens the ability of those institutions to educate international students, according to their website http://www.thecambridgeinstitute.org.
Initially, when contacted by emails from their website on Jun 6th, CIEE did not respond to the database notification. However, after a phone call to their Boston office, database was finally secured within an hour. MacKeeper Security and Research Center would like to thank Databreaches.net for assisting with the notification to CIEE.
One folder in the database seems to have a massive number of files that were publically accessible to anyone looking for them. The folder was titled "NewStudentsApplicationReportForFinanceV1" appears to have over 600K+ records for international students and includes personal information including names, emails, passwords, phones, account details, relatives info, passport details (all in plain text). Plus there was even correspondence records between the Cambridge Institute of International Education team members, and housing reports and working links to the pdf's and payment confirmations.
In addition, there was an additional collection of records that included the detailed information of 12,000+ hosting houses, including the information on a household, family member details (such as medical conditions, if any, religious beliefs, even frequency of attending religious activities), occupation details, incl. emails and phones, birthdates, and other extremely sensitive data on the personal privacy of the host families. The database contained a treasure trove of sensitive data could have been used for a wide range of illicit activities and in addition to the possible illegal or criminal uses of this data, it is extremely embarrassing to see documentation of housing reports and detailed descriptions about students’ conflicts, medical conditions, personal problems, living conditions, and much more.
Interestingly, the MacKeeper Security Researcher who discovered the data leak when browsing in Shodan took notice that the database was named after a planet from Star Wars. The database was named “Coruscant” - a planet in the Star Wars universe (Imperial Center during the reign of the Galactic Empire).
The Cambridge Institute of International Education is yet another example of the importance of protecting sensitive data in the educational field. Since 2014 the number of students’ who have had their data compromised online has continued to grow and with over a half of a million accounts left unprotected, it shows the full scale of just how big the number of students Cambridge left vulnerable vs other recent leaks.
*Notable data leaks or breaches to colleges and educational institutions 2014-16
University of Maryland exposed SSNs and more for 300,000 students and employees,
North Dakota University lost data on 300,000 students to hackers,
Butler University lost 200,000 to hackers, and
Indiana University exposed information on 146,000 students.
In 2015 vendors seeking to do business with the Chicago school district were given the personal data of 4,000 students
2016 The University of Greenwich's accidentally published of the personal data of students on their website
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org