US education software company exposed personal data of 1.2M students

SmarterSelect, a U.S.-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket.

The data spill, discovered by cybersecurity company UpGuard, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs, dated from November 2020 to September 21, 2021. SmarterSelect’s website says it has served 1.6 million people to date.

One folder hosted on the public bucket hosted 23,000 spreadsheets and 8,000 ZIP files, according to UpGuard’s analysis. For applicants, these files contained contact information like name, email address and phone number, as well as much more probing details such as their parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations.

Some files also contained longer documents such as letters of recommendation and personal essays detailing poverty, physical and sexual abuse, domestic violence and other personal information, UpGuard said.

Another directory, which contained some 2.79 million files, included even more sensitive data on applicants. This includes student photos where required for application, financial documents such as Free Application for Federal Student Aid (FAFSA) forms that in some cases included full Social Security numbers, proof of COVID-19 vaccinations and descriptions of hardships.

UpGuard first notified SmarterSelect about the breach on September 15 and then again on September 27. The company acknowledged the warning on September 30, before revoking public access to the bucket on October 5. It’s not known whether any malicious actors accessed the data while it was exposed.

“The contents of the bucket also serve as a reminder of the risks of collecting and retaining sensitive data, particularly for populations like college students,” UpGuard said. “The process of applying to, attending, and securing funding for university education requires young people to provide detailed information about themselves to a complex institutional supply chain.

“Even well-intentioned programs aiming to assist students who have been disadvantaged by circumstances beyond their control — in fact, especially those programs that seek to help those most in need — require a detailed accounting of the facts of one’s life.”

It’s not yet clear whether SmarterSelect has notified those affected by the breach, nor whether it has alerted the relevant state attorney general offices per data breach notification law. TechCrunch asked SmarterSelect for comment but did not immediately hear back.