Researchers at vpnMentor have uncovered an unsecured database holding the personal records of special-needs school children and their parents.
Some 50,000 invoices belonging to Encore Support Services, a special education and behavioral health service provider, were identified, according to a recent report.
The non-password-protected database contained a variety of personally identifiable information of students and their parents who attend public schools in New York:
A breakdown of the publicly exposed records includes:
“The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests,” the report reads. “The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.These services were provided according to the students’ diagnosis. The invoices contained a ‘Service Type’ field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students. These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection.”
While researchers can’t tell whether threat actors or other individuals accessed the information, publicly exposed databases always pose risks for consumers.
In this case, nefarious individuals could target the parents or guardians of children to get their hands on highly sensitive info that could be used to steal the child’s identity.
Using social engineering, a criminal could hypothetically contact the parent and pretend to be an Encore Support Services employee or school representative and simply say, “We are updating our records and need your child’s social security number (SSN) or other information,” the researchers warned.
“They could also say there is a small payment due and request a credit card number. The parent would have no reason to doubt the fraudster because they would know case numbers, therapy history, the student’s ID or OSIS number, and other insider information.”
Nobody is safe from data breaches.
Check now whether your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection. The dedicated identity protection service helps you stay on top of data breaches and privacy threats, with 24/7 monitoring and instant alerts, whenever your personal information at risk.
If you’re worried about how identity crimes may harm your financial and physical wellbeing, opt for a comprehensive identity theft protection plan (US only) that offers continuous monitoring, instant alerts alongside recovery services and insurance to help you recover out-of-pocket expense in case you fall victim.