Data of special-needs school children and their parents exposed online


March 28, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Data of special-needs school children and their parents exposed online

Researchers at vpnMentor have uncovered an unsecured database holding the personal records of special-needs school children and their parents.

Some 50,000 invoices belonging to Encore Support Services, a special education and behavioral health service provider, were identified, according to a recent report.

The non-password-protected database contained a variety of personally identifiable information of students and their parents who attend public schools in New York:

A breakdown of the publicly exposed records includes:

  • 47,192 data items totaling 6.74 GB; some of it dates back to 2018
  • Invoices belonging to Encore Support Services submitted to the Impartial Hearing Order Implementation Unit, Division of Specialized Instruction and Student Support Special Education Office of New York
  • Student’s unique nine-digit OSIS number, issued to all students who attend the New York public school system
  • Service types that may indicate a child’s disability and notes on medical care/services that were provided either at school or at home which also revealed the names and home addresses of parents

“The invoices also contained the vendor’s information, EIN / SSN tax identification and billing hours from the detailed vendor payment requests,” the report reads. “The cost of the services ranged from $150-$170 an hour and would be paid or reimbursed by the Department of Education.These services were provided according to the students’ diagnosis. The invoices contained a ‘Service Type’ field with different codes that could potentially indicate why they were receiving special needs services or identify medical data about students. These records were publicly exposed, without password protection in place or encryption, to anyone with an internet connection.”

Are there any immediate risks?

While researchers can’t tell whether threat actors or other individuals accessed the information, publicly exposed databases always pose risks for consumers.

In this case, nefarious individuals could target the parents or guardians of children to get their hands on highly sensitive info that could be used to steal the child’s identity.

Using social engineering, a criminal could hypothetically contact the parent and pretend to be an Encore Support Services employee or school representative and simply say, “We are updating our records and need your child’s social security number (SSN) or other information,” the researchers warned.

“They could also say there is a small payment due and request a credit card number. The parent would have no reason to doubt the fraudster because they would know case numbers, therapy history, the student’s ID or OSIS number, and other insider information.”

Nobody is safe from data breaches.

Check now whether your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection. The dedicated identity protection service helps you stay on top of data breaches and privacy threats, with 24/7 monitoring and instant alerts, whenever your personal information at risk.

If you’re worried about how identity crimes may harm your financial and physical wellbeing, opt for a comprehensive identity theft protection plan (US only) that offers continuous monitoring, instant alerts alongside recovery services and insurance to help you recover out-of-pocket expense in case you fall victim.




Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.

View all posts

You might also like