[BreachExchange] State, vendor: No student data breach on college, career planning sites connected to TN schools

Destry Winant destry at riskbasedsecurity.com
Fri Sep 6 09:59:09 EDT 2019


No Tennessee student data was compromised last month when an
unauthorized party accessed a state vendor's web site, an
investigation has found.

In July, Graduation Alliance, a third-party state vendor providing
data and web hosting services to schools across the state, reported a
possible data breach to servers that contained some student

Graduation Alliance hosts CollegeforTN.org, a college and
career-planning website.

On Wednesday, Graduation Alliance and the Tennessee Higher Education
Commission announced the completed investigation found no student data
had been exposed and that a technical breach had not occurred.
Graduation Alliance had suspected one because of unusual traffic on
some servers.

“Immediately after determining a possible breach had occurred, our
agency, working with the website vendor and the Tennessee Bureau of
Investigation, launched an inquiry focused on ensuring the privacy of
Tennessee students,” said THEC Executive Director Mike Krause in a
statement. “We are, of course, relieved that the inquiry indicated no
student data was taken and want to thank the TBI, the Attorney General
and the state’s Strategic Technology Solutions team for their
assistance throughout this process.”

The data stored on the servers under review did not include Social
Security numbers, financial, driver’s license or health information
but did include names, birthdays, gender, ethnicity and, on a smaller
batch of records, ACT scores.

Graduation Alliance had removed website access and hired an
independent forensics firm.

 "We are grateful for the diligent and swift actions that our team
took to intercept this attack,"  the company said in a statement.
"Protecting the privacy and security of our students' and customers'
information is a top priority. As we move forward, we will continue to
look for opportunities to enhance our cybersecurity and data
protection strategy.”

More information about the BreachExchange mailing list