2 min read

Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed

Alina BÎZGĂ

July 29, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed

In January 2020, a security researcher discovered an exposed server belonging to Front Rush, an athlete-recruiting software company offering solutions to more than 9,500 college teams at over 850 institutions across the United States.

The initial report was kept low key, and it appears that the unsecured server contained over 700,000 files including medical records, performance reports, driver”s licenses and other personal identifiable information of college athletes.

Yesterday, however, Front Rush disclosed that it has started informing potentially affected individuals about the security incident that was overlooked 7 months ago.

Use a digital identity protection solution that will let you know about leaks of your private information on Open Web or Dark Web and all major Social Media Networks. Thus, you can act immediately and prevent potential damages. Find out how it works here.

According to the data breach notification, “on or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets (“the S3 bucket”) was publicly accessible from the internet.”

The company said the S3 bucket contained:

• Attachments uploaded by the college institutions such as transcripts, injury reports, or athletic reports)
• Attachments that were uploaded by student athletes, prospective student athletes or their parents/guardians
As disclosed by the report, the type of personal information exposed varied by individuals. However, Front Rush reveals that data sets may have included first and last names, date of birth, Social Security number, Driver’s License Number/State ID Number, student ID number, passport number, other ID number, financial account information, payment card information, mother’s maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers and other health insurance information.

The company claims that, upon learning of the event, it immediately opened an investigation alongside third-party security experts. It appears that the S3 bucket housing the database was publicly accessible between January 18, 2016 and January 8, 2020.

While the report says there is “no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data.”

College institutions were notified on June 15, and letters to potentially impacted individuals for whom address information was available were sent out starting with July 27.

It”s unclear why the company waited to notify affected individuals. However, the company hinted that they were waiting on the results of the data mining investigation before publicly disclosing impacted athletic departments across the country.

“To date, Front Rush has not received any reports that personal information has been misused as a result of this incident,” the notification reads.

The data breach could have serious consequences for athletes, parents and guardians. Even if there is no evidence that the unsecured data was accessed by malicious actors, the fact that the server was left unprotected for four years leaves room for serious debate.

Victims should be aware that, with such a variety of exposed personal identifiable information (PII), the chances of identity theft are high. As such, “Front Rush encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, promptly change any involved account passwords, and to review account statements, and credit reports for suspicious activity.”

The company has also provided credit monitoring to individuals who had a Social Security Number or Driver’s License Number/State ID exposed and notified state regulatory authorities.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them
Alina BÎZGĂ

December 05, 2022

3 min read
Threat actor publicly shares stolen data of 5.4 million Twitter users Threat actor publicly shares stolen data of 5.4 million Twitter users
Alina BÎZGĂ

November 28, 2022

3 min read
500 million WhatsApp mobile phone numbers are up for grabs on the dark web 500 million WhatsApp mobile phone numbers are up for grabs on the dark web
Alina BÎZGĂ

November 25, 2022

2 min read