Researchers at vpnMentor have stumbled upon an unsecured database that holds sensitive personal records of special-needs students and their parents.
The recent report highlights that this database, which was not password-protected, contained around 50,000 invoices connected to Encore Support Services, a company offering special education and behavioral health services.
The exposed database housed a variety of personally identifiable information related to students and parents attending public schools in New York. With over 47’000 items totaling nearly 7 GB — some of these records go back as far as 2018 — the report illustrates the risk to public safety.
The database also revealed service types that might hint at a child’s disability, along with notes about medical care or services provided either at school or at home. This exposed sensitive details such as the names and home addresses of parents. The invoices contained vendor information, EIN/SSN tax identification, billing hours, and service costs.
These services were provided based on the student’s specific needs, with the invoices displaying a “Service Type” field that could potentially indicate the reason for receiving special needs services or additional medical data about the students. This means that all of the information is completely exposed.
Although researchers cannot confirm if cybercriminals or other unauthorized individuals accessed the exposed data, its public availability poses significant risks to those affected. Cybercriminals might target parents or guardians to acquire sensitive information, which could be used for identity theft.
Criminals could then use various social engineering strategies to threaten the family’s identity. For example, they could pretend to be an Encore Support Services employee or a school representative. After contacting the parent and requesting personal information like a child’s social security number or credit card details for an alleged small payment, they can use that information for further identity theft, potentially stealing from them without them noticing.