We’ve heard all about Russian hackers stealing personal info and even clever high school students hacking to change grades. But a massive breach that leaked grades and personal information of 100,000 U.S. high school students was caused by something completely different – and sadly, completely preventable.
High schoolers applying for college are usually required to send along their high school grades through an independent 3rd party - I guess to eliminate the temptation to "adjust" their grades. Typically, the student allows their school to release grades to the 3rd party, that for about $10 sends them on to the college with some assurance that the grades are accurate and have not been tampered with.
NeedMyTranscript.com is one of these 3rd parties and handles transcript requests from every state in the U.S. A data breach just revealed sensitive information for up to 100,000 of its customers. And the "breach" meant that this information was freely searchable on Google. Anyone else remember an insurance company that did the same thing?
While NeedMyTranscript claims no credit card information was exposed, the information that personal information was leaked is complete enough to be used for identity theft. Plus, who would want their high school grades floating around on the Internet?
Oh, and this security flaw may have been present in NeedMyTranscript's system for the website's entire two years of operation.
Here's how The Washington Post explains this data breach:
The Web site relies on third-party services such as Google Docs to accept applicants' signatures and display their transcript requests. A Google search for a particular high school and "transcript" would sometimes return Needmytranscript.com's portal in the top search results.
So all someone would have to do to find your transcript is to search for your full name and "transcript." Try it on yourself, I know I did. Please don't do it to your old classmates, though, because you should not try to inadvertently breach anyone else's privacy.
Oh, and the company finally acknowledged that it had, in fact, been breached. Here's part of its statement:
That is why when NeedMyTranscript recently became aware of a specific vulnerability in the security of some of our files, we fixed that vulnerability within hours, ordered a security scan by our host provider to confirm that no malware was installed, and hired an experienced cybersecurity firm to investigate and assist with security.
Here's the problem: That "talk" with a cybersecurity firm should have happened before a company decided to start transferring its customers' personal information.
When it comes down to it, keeping yourself safe from breaches like this start with doing your research. A company like NeedMyTranscript might offer something that seems safe when dealing with paper.
When it comes to leaving your customer information publicly available, though, that means spending some extra effort.
Look for companies that have been around for a while and more importantly: Scan their blogs. Look for posts about security measures and other precautions they take to keep customer data safe.
Another way to know which companies to trust with your personal info is to see which ones stood up to a hack. In this case, you'd probably want to be looking for any company that doesn't make high school transcripts freely searchable, so it shouldn't be that hard.
You might also want to take a look at the companies that withstood the JPMorgan breach to find out which financial institutions have ironclad security.