Transport app exposes K-12 student location data


Flaws in Education Logistics (Edulog) allowed access to students' data, including names, bus routes, parent contact information, and GPS data.

Edulog’s Parent Portal allows parents and teachers throughout North America to access real-time information about students’ movements. They can find things like pick-up locations, drop-off times, and route changes, among other child transportation-related information.

Cybersecurity company Tenable recently discovered security flaws in the Edulog Parents Portal, which allowed access to K-12 (from kindergarten to 12th grade) student data, including names, assigned bus routes, parent information, GPS data, and the configuration details (usernames and encrypted passwords for third-party integrations) for individual school districts. It’s not clear whether any threat actor has accessed and exploited this data.

Tenable reported these issues, and as of November 30th, 2023, all of them have been resolved.

“Edulog treats the security of all of our products as one of our very highest priorities. After Tenable alerted us to a potential misconfiguration in a client-facing endpoint, our security team researched and resolved the issue in the next build of the product,” Edulog told Cybernews in an email.

They believe there’s no indication that anyone other than Tenable had identified the potential vulnerability.

“In addition, we have been in contact with specific customers regarding the resolved potential vulnerability.”

As per Tenable researchers, similar issues are very common in “industries where the concept of data security is often conflated with compliance standards.”

This is a situation where all those involved – Edulog employees, agents for the school districts, and parents using the services – are responsible for making sure the data relating to these services is handled properly. For example, even without the vulnerabilities discovered in the Parent Portal services, there isn’t necessarily anything stopping a malicious actor from signing up for an account and obtaining a registration code for a given school through other means,” the researchers noted.