The NYC public school for special education students recently caused a massive blunder, revealing thousands of documents containing personal data in an unsecured database.
A researcher discovered the unsecured database a few months ago and immediately alerted the owner. The apparent owner of the exposed database is Encore Support Service. The owner allegedly secured the database since the report came.
However, the New York City public school system and Encore have not addressed any questions regarding the incident to give further details. Hence, other relevant individuals and regulators could not classify the incident as a data breach.
The exposed NYC public school documents included data on children with special needs.
According to investigations, the billing invoices submitted by Encore were also part of the exposed documents of the NYC public school. The uncovered documents were part of the affected entity since it provides education and behavioural health services to children with special attention, such as autism.
Encore is a New York public school system unit in charge of educational services and specialised instruction.
The confirmed information in the exposed invoices is student and parent full names, types of services students received, addresses, length of sessions, and costs.
Some of the exposed records in the database relate to some of the same students who received services from Encore over several years. It is difficult for the researchers to confirm the exact number of potentially exposed students’ data.
The exposure time of the documents on the public-facing internet is still unclear to researchers, meaning some individuals could have acquired that leaked data.
Researchers explained that most companies would upload documents or records in a public storage database and then develop non-password-protected links to an individual image.
It is one of the primary security flaws in securing sensitive data for sharing. Organisations should avoid these behaviours to avoid accidental data exposure. Companies should practice a more secure way of keeping data, especially for educational and healthcare services.
