American college spills half a million files with personal data

Last updated: 13 May 2025
Bank Street College data leak
Image by Cybernews.

Bank Street College of Education, a New York-based private school, exposed hundreds of thousands of files with personal data, including home addresses and phone numbers.

An exposed Amazon AWS bucket revealed personal details of hundreds of thousands of people, the Cybernews research team discovered. According to the team, the exposed instance belongs to the Bank Street College of Education, a prominent century-old private school and graduate school.

Over half a million files were present in the exposed instance, most of which were CVs and resumes. The instance was exposed for at least a month, opening up sensitive data to attackers who restlessly scan the net for exposed instances with automated bots.

ADVERTISEMENT

We have reached out to Bank Street for comment and will update the article once we receive a reply.

Stefanie Marcus Walsh profile Jesse William McGraw Nihad Hassan
Don’t miss our latest stories on Google News
Google News Follow us

What Bank Street College of Education data was exposed?

Most of the exposed files were resumes and CVs, pointing to one file representing one person. Unsurprisingly, the jeopardized information is something that individuals include in their resumes, such as:

  • Full names
  • Home addresses
  • Email addresses
  • Phone numbers
  • Educational and professional backgrounds

Even though the data ranges from 2014 to 2022, exposed individuals face an increased risk of identity theft, phishing attacks, and doxxing. According to the team, attackers can exploit the leaked details to create fake academic records, impersonate faculty members, or gain unauthorized access to school-related services and platforms.

Bank Street sample
Sample of the leaked data. Image by Cybernews.

“The combination of personal information from student and educational and employment background provides a complete profile of individuals, making them vulnerable to highly targeted phishing campaigns,” researchers said.

ADVERTISEMENT

Moreover, attackers can exploit leaked email addresses and phone numbers to craft phishing emails, SMS scams, or fraudulent job and academic-related messages. For example, attackers could pose as school officials, employers, or scholarship providers, requesting sensitive information such as ID scans or banking details.

“Voice phishing and SMS phishing tactics may also be used to deceive victims into making payments for fake tuition fees, student loans, or employment background checks,” the team said.

To mitigate the issue and avoid similar incidents in the future, the team advises to:

  • Change the access controls to restrict public access and secure the bucket.
  • Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Use AWS Key Management Service (KMS) for managing encryption keys securely.
  • Implement SSL/TLS for data in transit to ensure secure communication.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.
  • Leak discovered: February 21st, 2025
  • Initial disclosure: February 26th, 2025
  • CERT contacted: March 5th, 2025
Share
Post
Share
Share
Share
More from Cybernews
Tech companies pivot to military gear as NATO wavers and Putin’s threats grow
Windows Snipping Tool is getting a GIF creation upgrade
Iran hacks security cameras to gain intel on Israel – media
Russia-linked attackers hit target with novel social engineering attack
VR’s role in stroke rehabilitation
Scientists believe that the “heavenly sounds” of electric cars come with a safety flaw
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked