[BreachExchange] Data breach: State says Tennessee student data may have been accessed on college planning site

Destry Winant destry at riskbasedsecurity.com
Mon Jul 29 10:24:15 EDT 2019 

https://www.tennessean.com/story/news/education/2019/07/23/tennessee-high-school-students-data-breach-collegefortn-website/1810024001/

Student data may have been accessed by an unauthorized party on a site
connected to schools across Tennessee, the Tennessee Higher Education
Commission and the Department of Education said Tuesday.

Graduation Alliance, a third-party state vendor providing data and web
hosting services, reported a possible data breach to servers that
contained some student information.

Graduation Alliance hosts CollegeforTN.org, a college and
career-planning website.

The data stored on the servers under review does not include Social
Security numbers, financial, driver’s license or health information, a
release from the concerned parties indicated.

However, fields including names, birthdays, gender, ethnicity and, on
a smaller batch of records, ACT scores were present.

Investigation ongoing

In the same release, THEC Executive Director Mike Krause said that
students and their families deserve to have confidence in their
pursuit of higher education.

“We’ll be monitoring the investigation closely and will provide
updates for students and their parents as information becomes
available,” he said. “We are working closely with law enforcement to
ensure students’ privacy is protected.”

As soon as the unusual traffic was detected, the website was taken
offline and the Tennessee Bureau of Investigation, the Office of the
Comptroller and others were alerted to the situation. It as not
immediately clear when the access may have occurred.

Independent forensic experts have been hired by Graduation Alliance to
investigate and determine whether any information was actually
accessed. As of Tuesday, no evidence had been found to confirm that
student data was viewed or taken from the servers.

All access to the website has been taken out of service and will not
be restored until the forensic investigation is completed.

More information about the BreachExchange mailing list