Total Registration exposed the personal information of students who registered for AP and PSAT exams

• The storage bucket included a mail merge spreadsheet that contained data for almost 13,000 students.
• The information in the mail merge spreadsheet belonged to students from various school districts including Chandler School District in Arizona, St. Vrain Valley School District in Colorado, Community High School District 117 in Illinois, and Utica Community Schools in Michigan, among others.

A misconfigured Amazon storage bucket belonging to Total Registration exposed the personal information of students who registered for AP and PSAT exams in April.

Total Registration is a contractor that provides online registration services for students to register for AP, IB, and PSAT/NMSQT exams. A number of school districts or schools have a contract with Total Registration. Over 525,000 students from more than 1,220 schools have registered with Total Registration in 2018.

What happened?

In April 2019, a security researcher who uncovered the leaky database reported to DataBreaches.net. Following this, DataBreaches.net notified the contractor about the database and received a response that the issue has been taken care of.

However, when asked whether they have notified the students and the client school districts about the incident, they did not receive a response.

What data was exposed?

The storage bucket included a mail merge spreadsheet that contained data for almost 13,000 students. The data includes students’ names, ID numbers, email addresses, their parent’s email addresses, phone numbers, postal addresses, the AP exams registered, as well as the exam dates and the invigilators.

• Apart from the mail merge spreadsheet, the storage bucket also included hundreds of other files with data of over hundreds of students from various school districts.
• Some of the files also contained students’ dates of birth, gender, age, as well as other demographic information of both students and parents.
• One directory contained almost 300,000 unique email addresses.

Who were impacted?

The information in the mail merge spreadsheet belonged to students from various school districts listed below.

• Chandler School District in Arizona
• St. Vrain Valley School District in Colorado
• Community High School District 117 in Illinois
• Utica Community Schools in Michigan
• Edina Public Schools in Minnesota
• Wake County Public Schools in North Carolina
• Wausau School District in Wisconsin
• Fox Chapel Area School District in Pennsylvania
• Cherokee County School District in Georgia
• Woodland Joint Unified School District in California
• Pflugerville Independent School District (ISD) in Texas
• Cypress Fairbanks ISD in Texas
• Friendswood ISD in Texas
• Midway ISD in Texas
• RoundRock ISD in Texas
• Lewisville ISD in Texas
• Duncanville ISD in Texas
• Garland ISD in Texas

On May 7, 2019, DataBreaches.net notified few school districts about the data exposure including Miller Place School District in NewYork and the St. Vrain Valley School District in Colorado.