Nowadays the number of daily breaches of security is through the roof. Although big names in the industry like Amazon, Google and Apple are fighting to provide you highly secure services. No-one can protect you if you leave the door open. And this is what happened with this Amazon S3 bucket.

An unsecure Amazon S3 bucket

The CyberNews website recently came across a vulnerable Amazon S3 bucket. This Simple Storage Service contains nearly 1 million records of sensitive high school student academic information.

The bucket is comprised by “GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.”

CaptainU.com is a website with sole purpose to help athletes form teams and achieve their goals.

CaptainUs’ Philosophy

Our view has always been that college coaches want to hear from athletes directly and vice versa. We’re not agents, we don’t take an active role in recruiting, and we don’t advocate on behalf of any individual athlete or college team. Our focus is on providing tools that makes it easier for people to find each other, connect, communicate, and stay organized.

The most concerning part is that this leak affects students at the age range of 13-18.

CyberNews to the rescue

CyberNews acted in the best way possible. In fact, they try to contact CaptainU directly, hoping to inform them of the matter at hand. Although, CaptainU did not respond. So, they knew they had to act. They contacted Amazon services directly. Amazon was able to fix part of the issue, but the files remained accessible.

Really CaptainU?

It seems that CaptainU chose to respond through an Amazon representative. As a matter of fact, it turns out that those data were supposed to be publicly accessible. The problem is, the students as well, as their parents were not sufficiently informed of this.

Some examples provided by CyberNews

Here’s what looks to be an ID with the student’s name, GPA, SAT score, high school, phone number and email address:

student ID with blurred info

Transcript containing similar information, plus class-by-class grades:

censored unofficial transcript

SAT scores:

censored SAT score

And ACT scores:

censored ACT score

So now what?

CaptainU is not an agency, which could turn real ugly real fast. Instead CaptainU is a private company. On top of that, the data were willingly handed over by the students and/or their parents. As a result, there seems to be little, to no legal consequence.

On a closing note

Always make sure to read the fine print. This must be a rule in your life at all times. It does not matter if it concerns clicking accept to legal disclosures online. Or whether you are trying to get a loan. Always, read the fine print. Never sign anything if you are not one hundred percent informed and sure about you decision.

By George Chatzikyriakou

Hi, my name is George Chatzikyriakou (yeah, I know. Even for a Greek name, this name is hard to pronounce). I am 27 and I am a Software Developer based in Greece. I started learning programming when I was too young to have access to an internet connection, so you can say I am mostly self taught. I went to the university and graduated as an Automation Engineer. As a technology enthusiast I love reading and talking about break throughs in technology and the whole universe of possibilities that unfold with it.

Leave a Reply

Your email address will not be published. Required fields are marked *