Records show that K12.com, a web-based educational firm has suffered a massive 7-million student records breach due to an insecure version of MongoDB database server. Bob Dianchenko a security researcher at Comparitech has witnessed student data from K12.com was made public on June 25, 2019. According to his discovery, it took K12.com more than a week in order to patch their MongoDB database and plug the leak. The following student records were part of the leak:
- School name
- A+LS account authentication keys (A+nyWhere Learning System)
- Other uncategorized data
“K12 takes data security very seriously. Whenever we are advised of a potential security issue, we investigate the problem immediately, and take the appropriate actions to remedy the situation,” explained a representative of K12.com. With the data breach, a doubt is cast regarding the security of A+LS system, it covered 1,100 school district.
Trouble came with K12.com’s persistent use of MongoDB version 2.6.4, a version of the software that is unsupported effective October 2016. The use of old software means unpatched vulnerabilities were taken advantage of, hence unknown third parties were able to extract data from the database and regular search engines were able to crawl and index it. Dianchenko highlighted that the systems used by K12.com have open Remote Desktop service, one of the biggest mistakes that a system administrator can commit.
The data exposure apparently happened between June 23 to July 1, which means even during the June 25 disclosure, the incident is a continuing process. As the victims of the data breach ultimately are students who have not yet reached legal age, it is not yet clear if they can sign-up for a credit-monitoring service to protect their names from being abused due to identity theft. Of course, on the flip side, undergraduate students have not reached the legal age yet, hence they do not have social security information and bank information which hackers can steal.
Students of all A+LS are strongly advice of closely monitoring their communication channels such as emails, SMS and instant messaging apps for possible spear phishing attacks. Spear phishing campaigns only need basic information, through clever social engineering, it will be delivered to the victims as a legitimately looking notification that requires an action from the recipient. Make sure never respond to these messages, let alone click any link or attachments it contains.
K12.com prior to this incident was considered a very secure platform by its administrators, but one small mistake such as letting a critical software like the MongoDB system to remain un-updated for three years is a recipe for disaster. Schools and educational institutions are good targets for cybercriminals, as these organizations rarely have enough funding for comprehensive programs that fights cyber attacks coming from the Internet. The only recourse is to help students and staff to identify weaknesses in the system using internal trainings. They need to be aware of mistakes on their part that may subject their personally identifiable data to unexpected public exposure.