• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data

College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data

by Bernard Meyer
9 September 2020
in Security
1
College students in classroom
325
SHARES

We recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information.

Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.

The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials.

Because the data leaks concern minors (being high school students) aged 13-18, this leak seems particularly sensitive.

On May 22, we reached out to CaptainU to help them secure their database. When we received no response from the company, we contacted Amazon on June 1 to get the issue fixed. However, while they were able to secure the indexing on June 9, the files are still accessible.

Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available.” But it seems that CaptainU never mentioned this fact to the students or their parents.

Rick Garcia, whose daughter had at one point been a member of CaptainU — and whose personal files are still contained in the database — informed us that he never knew or intended for his daughter’s information to be publicly available, but to just share that on the platform for other coaches to see. “We did not agree to publish all of her educational information to the public,” he said. “We thought we were just giving her GPA.”

CaptainU has not responded to repeated requests for comment.

What data is in the bucket?

The unsecured Amazon S3 bucket contains the following data:

  • GPA scores 
  • unofficial transcripts
  • ACT, SAT, and PSAT scores
  • student IDs
  • student and parent names, addresses, phone numbers, and some email addresses
  • messages from students to coaches
  • pictures and videos of athletic achievements
  • recruitment material, camp schedules, and other coaching-related documents

Roughly 40,000 of these are PDFs of students’ academic scores, 20,000 are Word documents – usually messages sent to colleges, 278+1135 are Excel sheets, and the remaining (about 85,5807 files) are images and videos of students’ athletic showcases. Some of the documents within the database are duplicates.

Examples of exposed records

Let’s look at some examples of the sensitive academic records that the CaptainU database is leaking.

Here’s what looks to be an ID with the student’s name, GPA, SAT score, high school, phone number and email address:

student ID with blurred info

We also found an unofficial transcript with similar information, plus class-by-class grades:

censored unofficial transcript

Then there are the SAT scores:

censored SAT score

And ACT scores:

censored ACT score

This is all sensitive information, and parents and students will likely be unhappy that nearly 1 million of their records are being exposed online.

Who owns the bucket?

The bucket seems to be owned by CaptainU, which is a college recruitment website aimed at helping student athletes get in contact with university coaches. The site states that it has helped “more than 2 million athletes” follow their dreams of entering a college team.

CaptainU is a subsidiary of Stack Sports, whose LinkedIn page states that it is “the global leader in sports technology” that provides services for “national governing bodies, youth sports leagues, clubs and associations, parents, coaches and athletes.”

Who had access?

At this moment, it’s unclear who had access to this unsecured Amazon S3 server. The data may have been exposed for a short or long period of time – some of the documents date back to 2016, while some images go back even further to 2012. However, at this moment it isn’t known if that is the time when the files were created, or when they were uploaded to the database.

Nonetheless, because of the relative ease of finding and looking through these unsecured S3 databases, there’s a chance that others have accessed this data.

What’s the impact?

High school students, being largely minors, are protected under various laws, while students in general have their academic records protected under the Family Educational Rights and Privacy Act (FERPA). This federal law, amongst other things, provides parents the “control over the disclosure of personally identifiable information from the education records.” When the student turns 18 or enters college, the rights transfer from the parents to the students.

In either case, the parents or student chooses who to disclose the information to, and an unsecured database removes that choice and that control from them. 

However, FERPA seems to apply only to “educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education.”

Since CaptainU is a private company, and because the students or parents willingly handed over the academic and personal data to this private company, there seems to be little legal consequence.

Nonetheless, bad actors can use this data for targeted phishing campaigns (for example, emailing parents with institution-only data like student IDs or scores and pretending to be an official), or even blackmailing, cyberbullying or exploiting the students themselves.

Disclosure

We reached out to CaptainU to notify them of their unsecured database on May 22. However, we received no response from the company. We then contacted Amazon to help fix the issue.

An Amazon representative then informed us that CaptainU intended this information to be publicly available. In an attempt to confirm that information, and to understand whether CaptainU’s members — both the students and their parents — knew that the educational information they’ve supplied to CaptainU would be accessible to the general public, we contacted parents of students whose data has been leaked.

With this, we attempted to contact CaptainU via the Amazon representative, as well as through their website. We still have not received any responses from CaptainU, and the files are still accessible.

Share325TweetShareShare

Related Posts

Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Email icon on laptop screen

How phishing attacks are evolving and why you should care

14 January 2021
Ransom message on laptop screen

Why ransomware attacks will explode in 2021

12 January 2021
Next Post
Emma Briant and Cambridge Analytica and Facebook Logos

Emma Briant on Cambridge Analytica investigation: it seems shoved under the carpet

Comments 1
  1. John Li says:
    4 months ago

    I’m sure its 100% intended for all the student’s mailing addresses to be publicly available.

    Reply
Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    82491 shares
    Share 82481 Tweet 0
  • ProtonMail review: have we found the most secure email provider in 2021?

    60 shares
    Share 60 Tweet 0
  • Best alternatives to Gmail to protect your privacy

    407 shares
    Share 407 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • Bitwarden Review

    0 shares
    Share 0 Tweet 0
Parler partially reappears with support from Russian technology firm

Parler partially reappears with support from Russian technology firm

19 January 2021
Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Facebook logo on a keyboard

Hungary mulls sanctions against social media giants

18 January 2021
Hackers leverage sophisticated and novel techniques to break into networks

Hackers leverage sophisticated and novel techniques to break into networks

18 January 2021
Health tracking on mobile

Is it healthy to track your fitness and wellbeing?

18 January 2021
Huawei logo display

Trump admin slams China’s Huawei, halting shipments from Intel, others

18 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!