Nowadays the number of daily breaches of security is through the roof. Although big names in the industry like Amazon, Google and Apple are fighting to provide you highly secure services. No-one can protect you if you leave the door open. And this is what happened with this Amazon S3 bucket.
An unsecure Amazon S3 bucket
The CyberNews website recently came across a vulnerable Amazon S3 bucket. This Simple Storage Service contains nearly 1 million records of sensitive high school student academic information.
The bucket is comprised by “GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.”
CaptainU.com is a website with sole purpose to help athletes form teams and achieve their goals.
Our view has always been that college coaches want to hear from athletes directly and vice versa. We’re not agents, we don’t take an active role in recruiting, and we don’t advocate on behalf of any individual athlete or college team. Our focus is on providing tools that makes it easier for people to find each other, connect, communicate, and stay organized.
The most concerning part is that this leak affects students at the age range of 13-18.
CyberNews to the rescue
CyberNews acted in the best way possible. In fact, they try to contact CaptainU directly, hoping to inform them of the matter at hand. Although, CaptainU did not respond. So, they knew they had to act. They contacted Amazon services directly. Amazon was able to fix part of the issue, but the files remained accessible.
It seems that CaptainU chose to respond through an Amazon representative. As a matter of fact, it turns out that those data were supposed to be publicly accessible. The problem is, the students as well, as their parents were not sufficiently informed of this.
Some examples provided by CyberNews
Here’s what looks to be an ID with the student’s name, GPA, SAT score, high school, phone number and email address:
Transcript containing similar information, plus class-by-class grades:
And ACT scores:
So now what?
CaptainU is not an agency, which could turn real ugly real fast. Instead CaptainU is a private company. On top of that, the data were willingly handed over by the students and/or their parents. As a result, there seems to be little, to no legal consequence.
On a closing note
Always make sure to read the fine print. This must be a rule in your life at all times. It does not matter if it concerns clicking accept to legal disclosures online. Or whether you are trying to get a loan. Always, read the fine print. Never sign anything if you are not one hundred percent informed and sure about you decision.