Cloud Security , Security Operations

NYC Special Needs Students' Records Found Exposed on Web

Researcher Says Database Containing Nearly 50,000 Documents Appears Secure Now
NYC Special Needs Students' Records Found Exposed on Web
Image: Encore Support Services, NYC Public Schools

Tens of thousands of documents containing personal information of special education students within New York City's public school system were held in an unsecured database exposed to the internet.

See Also: Case Study: Streamlining User Access Reviews

Researcher Jeremiah Fowler of security services firm Security Discovery told Information Security Media Group he found the unsecured database in mid-February and immediately notified Encore Support Services, the apparent owner of the database. The database has since been secured, Fowler said.

Neither Encore nor the New York City public school system immediately responded to ISMG's requests for comment on Fowler's findings and for additional details, including whether the incident would be reported to regulators as a data breach.

The exposed documents were billing invoices submitted by Encore - a provider of education and behavioral health services to children ages 5 and up with special needs such as autism - to a unit of the New York's public school system responsible for specialized instruction and educational services.

Information contained in the invoices included student and parent names, addresses, types of services students received, length of sessions, and costs.

Some of the approximately 47,200 records contained in the 6.74-gigabyte database appear to pertain to some of the same students who received various services from Encore over multiple years, as far back as 2018, Fowler said. That made it difficult for him to conclude how many individual students' information was potentially exposed.

Also unclear is how long the documents were left unsecured on the database and how the incident occurred, he said.

"Often, companies and organizations will upload records or documents in a general storage database and then create non-password-protected links to an individual image assuming that it is safe, when it is not," Fowler said. "This link to the document could be accessible to parents or the individual employee in a private email or user account. The problem with this method is that someone who has that link can see the name and location of the database and access all of the records," he said.

It is "a major security flaw" for sensitive or health-related data to be shared this way, Fowler said. "The fact that the records were still there and not wiped out by ransomware tells me they were most likely not exposed for very long."

Security firm Emsisoft recently reported that 45 U.S. school districts operating 1,981 schools were affected by ransomware attacks in 2022.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.