College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data

Updated on: 10 October 2021

Bernard Meyer
Senior Researcher

We recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information.

Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.

The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials.

Because the data leaks concern minors (being high school students) aged 13-18, this leak seems particularly sensitive.

Choose the best virus protection for yourself in 2021
Find out how a VPN can help you stay protected online
See our list of the best VPNs on offer

On May 22, we reached out to CaptainU to help them secure their database. When we received no response from the company, we contacted Amazon on June 1 to get the issue fixed. However, while they were able to secure the indexing on June 9, the files are still accessible.

Through an Amazon representative, CaptainU claimed that the sensitive educational data was "meant to be openly available." But it seems that CaptainU never mentioned this fact to the students or their parents.

Rick Garcia, whose daughter had at one point been a member of CaptainU -- and whose personal files are still contained in the database -- informed us that he never knew or intended for his daughter's information to be publicly available, but to just share that on the platform for other coaches to see. "We did not agree to publish all of her educational information to the public," he said. "We thought we were just giving her GPA."

CaptainU has not responded to repeated requests for comment.

What data is in the bucket?

The unsecured Amazon S3 bucket contains the following data:

GPA scores
unofficial transcripts
ACT, SAT, and PSAT scores
student IDs
student and parent names, addresses, phone numbers, and some email addresses
messages from students to coaches
pictures and videos of athletic achievements
recruitment material, camp schedules, and other coaching-related documents

Roughly 40,000 of these are PDFs of students’ academic scores, 20,000 are Word documents – usually messages sent to colleges, 278+1135 are Excel sheets, and the remaining (about 85,5807 files) are images and videos of students’ athletic showcases. Some of the documents within the database are duplicates.

Examples of exposed records

Let’s look at some examples of the sensitive academic records that the CaptainU database is leaking.

Here’s what looks to be an ID with the student’s name, GPA, SAT score, high school, phone number and email address:

We also found an unofficial transcript with similar information, plus class-by-class grades:

Then there are the SAT scores:

And ACT scores:

This is all sensitive information, and parents and students will likely be unhappy that nearly 1 million of their records are being exposed online.

Who owns the bucket?

The bucket seems to be owned by CaptainU, which is a college recruitment website aimed at helping student athletes get in contact with university coaches. The site states that it has helped “more than 2 million athletes” follow their dreams of entering a college team.

CaptainU is a subsidiary of Stack Sports, whose LinkedIn page states that it is “the global leader in sports technology” that provides services for “national governing bodies, youth sports leagues, clubs and associations, parents, coaches and athletes.”

Who had access?

At this moment, it’s unclear who had access to this unsecured Amazon S3 server. The data may have been exposed for a short or long period of time – some of the documents date back to 2016, while some images go back even further to 2012. However, at this moment it isn’t known if that is the time when the files were created, or when they were uploaded to the database.

Nonetheless, because of the relative ease of finding and looking through these unsecured S3 databases, there’s a chance that others have accessed this data.

What’s the impact?

High school students, being largely minors, are protected under various laws, while students in general have their academic records protected under the Family Educational Rights and Privacy Act (FERPA). This federal law, amongst other things, provides parents the “control over the disclosure of personally identifiable information from the education records.” When the student turns 18 or enters college, the rights transfer from the parents to the students.

In either case, the parents or student chooses who to disclose the information to, and an unsecured database removes that choice and that control from them.

However, FERPA seems to apply only to “educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education.”

Since CaptainU is a private company, and because the students or parents willingly handed over the academic and personal data to this private company, there seems to be little legal consequence.

Nonetheless, bad actors can use this data for targeted phishing campaigns (for example, emailing parents with institution-only data like student IDs or scores and pretending to be an official), or even blackmailing, cyberbullying or exploiting the students themselves.

Disclosure

We reached out to CaptainU to notify them of their unsecured database on May 22. However, we received no response from the company. We then contacted Amazon to help fix the issue.

An Amazon representative then informed us that CaptainU intended this information to be publicly available. In an attempt to confirm that information, and to understand whether CaptainU's members -- both the students and their parents -- knew that the educational information they've supplied to CaptainU would be accessible to the general public, we contacted parents of students whose data has been leaked.

With this, we attempted to contact CaptainU via the Amazon representative, as well as through their website. We still have not received any responses from CaptainU, and the files are still accessible.