2 min read

Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed

Alina BÎZGĂ

July 29, 2020

Athlete Recruiting Software Company Discloses Data Breach 7 Months after Student-Athlete Data is Exposed

In January 2020, a security researcher discovered an exposed server belonging to Front Rush, an athlete-recruiting software company offering solutions to more than 9,500 college teams at over 850 institutions across the United States.

The initial report was kept low key, and it appears that the unsecured server contained over 700,000 files including medical records, performance reports, driver”s licenses and other personal identifiable information of college athletes.

Yesterday, however, Front Rush disclosed that it has started informing potentially affected individuals about the security incident that was overlooked 7 months ago.

Use a digital identity protection solution that will let you know about leaks of your private information on Open Web or Dark Web and all major Social Media Networks. Thus, you can act immediately and prevent potential damages. Find out how it works here.

According to the data breach notification, “on or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets (“the S3 bucket”) was publicly accessible from the internet.”

The company said the S3 bucket contained:

• Attachments uploaded by the college institutions such as transcripts, injury reports, or athletic reports)
• Attachments that were uploaded by student athletes, prospective student athletes or their parents/guardians
As disclosed by the report, the type of personal information exposed varied by individuals. However, Front Rush reveals that data sets may have included first and last names, date of birth, Social Security number, Driver’s License Number/State ID Number, student ID number, passport number, other ID number, financial account information, payment card information, mother’s maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers and other health insurance information.

The company claims that, upon learning of the event, it immediately opened an investigation alongside third-party security experts. It appears that the S3 bucket housing the database was publicly accessible between January 18, 2016 and January 8, 2020.

While the report says there is “no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data.”

College institutions were notified on June 15, and letters to potentially impacted individuals for whom address information was available were sent out starting with July 27.

It”s unclear why the company waited to notify affected individuals. However, the company hinted that they were waiting on the results of the data mining investigation before publicly disclosing impacted athletic departments across the country.

“To date, Front Rush has not received any reports that personal information has been misused as a result of this incident,” the notification reads.

The data breach could have serious consequences for athletes, parents and guardians. Even if there is no evidence that the unsecured data was accessed by malicious actors, the fact that the server was left unprotected for four years leaves room for serious debate.

Victims should be aware that, with such a variety of exposed personal identifiable information (PII), the chances of identity theft are high. As such, “Front Rush encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, promptly change any involved account passwords, and to review account statements, and credit reports for suspicious activity.”

The company has also provided credit monitoring to individuals who had a Social Security Number or Driver’s License Number/State ID exposed and notified state regulatory authorities.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Epik Data Breach Affects 15 Million Customer and Non-Costumers. Are You a Victim? Epik Data Breach Affects 15 Million Customer and Non-Costumers. Are You a Victim?
Alina BÎZGĂ

September 22, 2021

2 min read
To Call or Not To Call: Identity Thieves Prey On Credit Union Members Account Data and Money in Ongoing Spam Campaign To Call or Not To Call: Identity Thieves Prey On Credit Union Members Account Data and Money in Ongoing Spam Campaign
Alina BÎZGĂ

September 21, 2021

3 min read
The difference between a VPN and Incognito Mode. How do they protect your privacy? The difference between a VPN and Incognito Mode. How do they protect your privacy?
Cristina POPOV

September 20, 2021

2 min read