The personal details of hundreds of thousands of US students were exposed to hackers after a database was left unsecured by Get Schooled, an education charity set up by the Bill & Melinda Gates Foundation and Viacom.
Get Schooled was set up a decade ago to help students from low-income, minority and immigrant backgrounds with their college applications and financial aid, and to offer job advice.
But it left a database of 125m records, including 930,000 email addresses belonging to children, teenagers and college students, “open and accessible” earlier this year when it overhauled its website, said the UK cyber security company TurgenSec.
TurgenSec said the database included names, age, gender and school and graduation details of the individuals. Contact information such as addresses and phone numbers was also accessible.
The cyber security company said it had been told about the problem by a third party who had accessed the data.
Get Schooled disputed the size of the breach, saying it believed that about 250,000 accounts were left exposed. It said that under a third of those accounts, around 75,000, were linked to email addresses that remain active. It estimated that about 20,000 phone numbers and 12,000 mailing addresses could have been accessed, but said no birth dates or financial details were included in the database.
TurgenSec alerted Get Schooled to the issue on November 17 and the breach was resolved on December 21. The charity said it would launch a thorough review in the new year to ensure a similar issue does not happen again.
Since its launch, Get Schooled has helped 1m teenagers and young adults that signed up into further education and employment by providing advice on scholarships, financial aid and helping with college applications.
The size of the data breach is smaller than high-profile, financially-oriented attacks on the likes of British Airways and Target but highlights the struggles that smaller companies and organisations face in keeping data on their users secure.