"Personal Information of Over 30,000 Students Exposed in Unprotected Database"

Security researchers at SafetyDetectives discovered the personal information of more than 30,000 students on an improperly secured Elasticsearch server.  The server was left connected to the internet and did not require a password to allow access to the data within.  Thus, the researchers estimate that it exposed more than one million records representing the personally identifiable information (PII) of 30,000 to 40,000 students.  The researchers noted that the exposed information included full names, email addresses, phone numbers, credit card information, transaction and purchased meals details, and login information stored in plain text.  The researchers stated that the improperly secured server was being updated when it was discovered and found evidence of server logs showing student data being exposed.  The researchers noted that the 5GB database appeared to contain the details of students who are Transact Campus account holders.  The researchers stated that Transact Campus works with higher education institutions in the United States, which means the majority of impacted students are US individuals.  Transact Campus provides an application that students can use with a unique personal account (called Campus ID) to make payments and purchases, and which can also be used for activities such as event access, class attendance monitoring, and more.  The researchers could not determine whether malicious actors accessed the unprotected database before it was secured.  The researchers contacted Transact Campus about the unprotected server in December 2021 but did not receive a reply until January 2022, after they had contacted US-CERT as well.  The database had already been secured at that time, but Transact Campus denied being responsible for the breach.  Transact Campus told the researchers that the server was set up by a third party for a demo and was never taken down.  Transact Campus also stated that the dataset was filled with a fake data set and did not use any production data.  However, when the researchers checked a sample of the data, the data seemed to belong to real people.  

SecurityWeek reports: "Personal Information of Over 30,000 Students Exposed in Unprotected Database"