Personal information of tens of thousands of special education students within New York City’s public school system was exposed in an unsecured database, according to security researcher Jeremiah Fowler.
He found the database in mid-February and notified the owner, Encore Support Services, which has since secured the database.
The exposed documents contained billing invoices submitted by Encore for education and behavioral health services to children with special needs, including student and parent names, addresses, types of services students received, length of sessions, and costs.
It is not clear how many individual students’ information was potentially exposed as some records pertained to the same students who received services from Encore over multiple years, going as far back as 2018. It is also unclear how long the documents were left unsecured and how the incident occurred.
Fowler noted that sensitive data should not be shared in the manner that the documents were uploaded to the database, and that it was a “major security flaw.”
He also observed that the fact the records were not wiped out by ransomware indicates that they were likely not exposed for very long.
This incident comes amid reports that 45 U.S. school districts operating 1,981 schools were affected by ransomware attacks in 2022, according to security firm Emsisoft.
Neither Encore nor the New York City public school system have commented on the incident and whether it would be reported to regulators as a data breach.
The incident highlights the importance of securing personal information and the potential risks involved in storing sensitive data in an unsecured manner.
