Bernard Meyer reports:
We recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information.
Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.
The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials.
So CyberNews reached out to them to notify them of the leak to try to get it locked down. They got no reply, so they contacted Amazon Abuse, who have really gotten much better about reaching out to their customers quickly to lock things down.
But while CaptainU secured the index, the files themselves are reportedly still available. CyberNews reports:
Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available.” But it seems that CaptainU never mentioned this fact to the students or their parents.
Read more on CyberNews.
3. SHARING OF YOUR INFORMATION
We may share your personal information in the instances described below. For further information on your choices regarding your information, see the “Your Choices About Your Information” section below.
Remember, our Service allows you to connect with others and share information about yourself with other individuals and organizations. Your profile information, including your name, photo, and other personal information, will be available publicly to other members of the Service by default and may be searchable by search engines which may display certain of your information publicly. If you are an athlete on CaptainU, you may be able to adjust your profile settings to entirely prevent the general public from viewing your profile, though it will remain visible to other users of the Service. Also, remember that organizations and other third parties that use CaptainU Services may have their own data collection and use policies that CaptainU does not control, even in situations where CaptainU may access or maintain such data on behalf of the organization. Please review the privacy policies of any third party organization before sharing your personal information with that organization.
We may also share your personal information with:
A. Other companies owned by Stack Sports or under common ownership with CaptainU. These companies will use your personal information in the same way as we can under this policy;
B. Third-party vendors and other service providers that perform services on our behalf, as needed to carry out their work for us, which may include identifying and serving targeted advertisements, billing, payment processing, content or service fulfillment, or providing analytic services;
C. Trusted business partners who may use your information to contact you about opportunities that may be of interest to you.
D. Other users of the CaptainU Service. Your information, including both information you provide and information we have collected about you from other users, may be searchable by or made available to other users of the Service. These users may contact you via email or, with your consent, via SMS/text messages. Once your information has been shared with another user of the Service, that user may use and maintain copies of your information outside of the Service. You may be able to control some elements of data sharing through your settings.
E. With colleges and universities. CaptainU may disclose your personal information directly or via a third party to representatives of accredited colleges and universities that you have indicated you are interested in attending, as well as to representatives of other accredited colleges and universities that CaptainU and/or our business partners may be of interest to you.
F. The public. Any information that you voluntarily disclose for posting to the Service is viewable by other users and the public. For example, a tournament director may print a list of athletes at an event and distribute that list to tournament attendees who may or may not be members of the Service.
G. Other parties in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party or in the event of a bankruptcy or related or similar proceedings; and
We may also aggregate or otherwise strip data of all personally identifying characteristics and may share that aggregated, anonymized data with third parties.