Schoolzilla Security Issue Exposes Data for 1.3 Million Students and Staff

Students, parents, teachers, administrators and others using the Schoolzilla data platform were recently informed of a security issue that made information for more than 1.3 million users vulnerable to hackers.

The issue was uncovered by Chris Vickery, a white-hat computer security researcher best known for discovering an exposed database containing more than 191 million American voter registration records. Vickery currently runs the Security Watch blog for MacKeeper, an anti-virus software firm, and leads MacKeeper’s Analytical and Security Center.

In a recent Security Watch blog post, Vickery said that he discovered a file configuration error in an analysis of Schoolzilla, which “made the all too common mistake of configuring their cloud storage (an Amazon S3 bucket) for public access. I discovered the bucket after noticing a few other unsecured buckets related to the Tableau data visualization platform.” He found an exposed bucket called “sz.tableau” and began looking for other “sz” iterations, only to find a repository for Schoolzilla’s database backups.

“I downloaded several of the production backups, the largest was titled ‘Web_Data_FULL’ and weighed in at 12 gigs,” he wrote. “After loading them into a local MSSQL instance I did some review and concluded that this was most likely real student data and did indeed come from Schoolzilla.”

Vickery wrote that the company was quick to respond to his data breach notification ticket — and without shooting the messenger or accusing Vickery of being hacker. Within a few days, the CEO personally contacted each client to relay the news.

In a Schoolzilla blog post, CEO and founder Lynzi Ziegenhagen said, “As soon as we learned of it, we immediately fixed the error and confirmed no one accessed any information, other than the researcher. We are grateful that the researcher informed us quickly, so we were able to fix it quickly. Once resolved, we spent the next two days calling each of our customers personally and explaining the technical safeguards that will prevent this from happening again.”

In response to the security breach, Schoolzilla has launched a forum “for lessons learned, best practices and advice from experts” on information security and how “to serve students better with data.”

View the message from the CEO on the Schoolzilla site.

About the Author

Sri Ravipati is Web producer for THE Journal and Campus Technology. She can be reached at [email protected].

Featured

  • digital network grid shows lines and nodes, with one node highlighted in red

    3 in 4 Education Institutions Have Uncovered a Cyber Attack on Their Infrastructure in the Past Year

    Seventy-seven percent of institutions across K-12 and higher education have identified a cyber attack on their infrastructure within the past 12 months, according to a new survey from cybersecurity company Netwrix.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • depiction of cybersecurity funding featuring a shield with a glowing digital lock at its center

    Application Window for FCC Cybersecurity Pilot to Open Sept. 17

    The application filing window for the Federal Communications Commission Schools and Libraries Cybersecurity Pilot Program will be open from Sept. 17 to Nov. 1, 2024.

  • futuristic VR goggles with blue LED accents, placed in front of a fantastical landscape featuring glowing hills, a shimmering river, and floating islands under a twilight sky

    Los Angeles Unified School District Adopts VR Learning Platform, Resources

    Los Angeles Unified School District (LAUSD) recently announced a partnership with Avantis Education to bring educational virtual and augmented reality (VR/AR) solution ClassVR to its students. A news release reports that the district has already deployed more than 16,000 ClassVR headsets as part of the Los Angeles Unified Instructional Technology Initiative.