Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 800,000 documents belonging to a UK-based school tracking software provider.
The publicly exposed database contained 864,603 records, including an estimated 214,000 unique images of children. The database also contained 150 .xml and .xls files that displayed the first and last names of students, the subjects they took, their achievements, and any potential learning disabilities they might have. The records date from 2017 to 2023. Documents in the database (as well as the database’s name) indicate the data belonged to a tracking software called OTrack (also known as Optimum Pupil or Sonar Tracker). Juniper Education — the developer of the software — claims that OTrack is used by more than 7,000 primary and secondary schools in the UK. According to their website, Juniper Education provides pupil performance tracking for school financial management, teacher training, education HR support, and school visits planning.
I immediately sent a responsible disclosure notice and public access was restricted shortly after. It is not known how long the data was exposed or who else may have gained access to the database. Only an internal forensic audit could identify unauthorized access or malicious activity, if any. I received a reply from Juniper Education’s data protection officer thanking me for the notification. They indicated that they would be investigating the incident, but did not provide any additional information or updates after public access to the database was restricted and the data was secured.
This is a collage of screenshots showing the images of children (school ID photos) who were tracked using the OTrack application to analyze pupil progress.
This screenshot shows a pupil list that contains the names, date of birth, gender, and UPN (Unique Pupil Number) of the students. It also includes grading information.
This screenshot shows what appears to be a reading report, which includes the grading system as well as the first and last names of students.
This screenshot indicates the first and last name of students, details of their learning stages, and educational challenges identified, if any.❮❯
The exposed educational data of children is a serious potential risk and raises numerous privacy and security concerns. Children are particularly vulnerable because they may not be aware of the potential identity risks involved, and any misuse of their personal data can go undetected for extended periods of time. Furthermore, educational data that reveals information about a child’s learning disabilities, special needs, or behavioral issues is not intended to be public. If exposed, it could potentially result in stigmatization or discrimination against the child in the future. Academic records or transcripts that contain negative information could potentially affect their future educational or employment opportunities. The UPN (unique pupil number) is a unique identification number assigned to each student in the educational system of the United Kingdom. This number is used to uniquely identify students across all schools and educational information systems, including tracking of the student’s progress throughout their education. The exposed UPN could hypothetically be cross referenced with other past or future data breaches to identify additional personal information. I am not saying that children or the schools who use Optimum Pupil tracking software or Juniper Education’s services are at risk. I am only indicating the importance of safeguarding the personal information of children and identifying the real-world hypothetical risks if children’s data are mishandled or fall into the wrong hands.
Educational institutions are often targeted by cyber criminals due to the personal information they collect and store. Unfortunately, schools usually don’t have large budgets for cyber security and data protection, which could make them a particularly attractive target for cyber criminals. A 2022 report of cyber security in UK schools indicated that out of 174 schools surveyed, 62% have never implemented any training or guidance on cyber security. Furthermore, 48% of the schools in the study have experienced attempts of ransomware attacks, and 17% reported being the victim of some other form of cyber attack. The most concerning statistic was that 31% of the schools did not have any formal IT security policy. The lack of funding, training, and uniform cyber standards is likely a significant factor leading to many schools using third-party services and applications to manage their data. However, as highlighted by this data incident, outsourcing to companies specializing in content management does not invariably ensure complete data protection.
What Can Schools located in the UK Do?
Protecting data from cyber attacks and implementing data protection measures is crucial for educational institutions. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and provides strict guidelines for data protection and reporting data incidents, but schools must do more to secure the sensitive information they store and maintain. I highly recommend schools:
Train staff on data protection policies and procedures, highlighting the importance of cybersecurity and safeguarding data.
Establish a permissions structure to access data based on staff roles or an as-needed basis. Access to sensitive information should be limited to authorized personnel only.
Use firewall protection to monitor and control incoming and outgoing network traffic. This can help restrict any unauthorized access.
Backup vital records and store them separately from the primary network. With a proper backup plan, if the network experiences a cyber attack school operations can easily be restored with minimal disruptions.
Encrypt sensitive records to protect data from unauthorized access. When sensitive records are encrypted, even if data is exposed, the contents of the documents will not be accessible to malicious actors.
Taking these basic steps can help schools secure their data and the personal information of their students.
I imply no wrongdoing by OTrack, Juniper Education, or the educational institutions, nor do I claim that any children or students were ever at risk. I publish my findings for educational purposes and to raise awareness of real-world cyber security threats and the importance of data protection. It is not known how long the data was exposed or if anyone else gained access to the records. As an ethical researcher, I never download the data I find and take a limited number of screenshots during a manual review to validate and responsibly report my findings. It is unclear if schools, parents, or the Information Commissioner’s Office have been notified of the incident.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
So happy you liked it!
Share it with your friends!
Or review us on
3270984
50
5000
97143195
This page isn't yet translated into . If you wish to volunteer and translate it, please contact us using the contact us page
