Trove of UK Student Records Exposed in School Software Server Leak

Cybersecurity researcher Jeremiah Fowler identified a misconfigured cloud server that impacted hundreds of thousands of students in the United Kingdom. Fowler disclosed his findings through WebsitePlanet, outlining how a UK-based school tracking software provider unintentionally exposed individuals to the risk of a data breach.

In the report shared with Hackread.com prior to its publication on Wednesday, March 27, 2024, it was revealed that the server contained almost a million (864,603) records, with approximately 214,000 of them being unique images of children.

In addition to the images, the exposed database contained sensitive information including student names, enrolled subjects, academic achievements, and indications of learning disabilities. Shockingly, these records covered a period from 2017 to 2023.

Screenshot from the exposed server (Credit: Website Planet)

According to Fowler, the server was affiliated with OTrack, also known as Optimum Pupil/Sonar Tracker, developed by Juniper Education. OTrack is utilized by over 7,000 primary and secondary schools across the United Kingdom and is an effective platform for tracking pupil performance and managing schools.

It is a fact that schools are one of the most targeted industries however, a data leak related to student software is not new. Earlier in January this year, Fowler reported similar findings impacting students from a Texas-based school when its safety software provider developed by Raptor Technologies exposed around 4,024,001 records to the public.

Upon discovering the misconfiguration, Fowler promptly notified the responsible parties through a responsible disclosure notice, leading to the swift closure of public access to the server.

However, the question remains whether unauthorized individuals had accessed it and to what extent the data may have been misused. The full scope of the data leak can be uncovered only through an internal forensic audit.

Another worth mentioning positive outcome is that, unlike businesses that deny data breaches, the company’s data protection officer, representing Juniper Education, assured that an investigation would be carried out.

Nevertheless, the server misconfiguration goes on to show the critical importance of prioritizing proper cybersecurity measures, especially when dealing with the sensitive data of minors. With educational institutions relying more on digital platforms, it’s critical to take precautions to effectively secure student information.

RELATED TOPICS