The Princeton Review may have made private information public
Technorati Tag: Security Breach
Date Reported:
8/18/08
Organization:
The Princeton Review
Contractor/Consultant/Branch:
"a new Internet provider"
Victims:
Students
Number Affected:
"tens of thousands", at least 108,000
Types of Data:
Names, dates of birth, ethnicities, learning disabilities, test scores, and other personal information. This breach also exposed a significant amount of confidential organization information including educational materials, internal communications, course schedules, internal analysis, instructor evaluations, proprietary book texts, and other sensitive internal information.
Breach Description:
"The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks."
Reference URL:
The New York Times
Report Credit:
Brad Stone, The New York Times
Response:
From the online source cited above:
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.
A flaw in configuring the site allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications.
[Evan] Does "on the company's computer network" mean the same as their internal network? What kind of configuration would allow this type of access? Network and information resource segmentation is one of the most basic information security principles and it is very easy to design. This is a pretty significant blunder.
Another test-preparatory company said it stumbled on the files while doing competitive research.
[Evan] How embarrassing!
This company provided The New York Times with the Web address of the internal files on the condition that it not be named.
[Evan] The Princeton Research would surely like to know who the "not to be named" competitor is. This is a twist in the story that will likely go on for sometime although it is irrelevant to the fact that The Princeton Research made a significant mistake in their care of confidential information.
The Times informed the Princeton Review of the problem on Monday, and the company promptly shut off access to that portion of its site.
One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla., where the Princeton Review was hired to build an online tool to help the county measure students’ academic progress.
The file included the students’ birthdays and ethnicities, whether they had learning disabilities, whether English was their second language, and their level of performance on the Florida Comprehensive Assessment Test, which is given to students in grades 3 to 11.
[Evan] This information in the wrong hands has the potential to be very damaging to the victims.
Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va., which had hired the Princeton Review to measure and improve student performance.
The Princeton Review said the student information should have been protected by a password, but that the protection was most likely lost when the company moved its site to a new Internet provider in late June.
[Evan] This is one strong reason why it is critical that information security personnel get involved with moves/adds/changes. It is apparent that there was not adequate information security review and testing on at least two points, access control (no password) and network/resource segmentation (not effective or non-existent).
The company said it was looking into how many people might have accessed the files, some of which could be found through search engines.
"As soon as I found out about this security issue we acted immediately to shut down any access to this information," said Stephen C. Richards, the company’s chief operating officer. "The Princeton Review takes Internet privacy seriously, and we are currently conducting a review of all of our procedures."
[Evan] Stating that you take privacy and information security seriously and demonstrating it through sound business decisions and actions are entirely different. Most business leaders would state that they take security seriously, yet many don't have demonstrable evidence to back it up. Business leaders don't necessarily need to know the details about how information is protected in their organizations, but they should be aware of the "program" and the strategic initiatives. Let's hope that The Princeton Review's review of all procedures is an ongoing repeatable effort and not a one-time response.
Natalie Roca, executive director for research and testing at the Sarasota County public schools, said she was "surprised and troubled" by the release of the student data. She said the student information the county gave to the Princeton Review to build the testing tool was strictly confidential.
In addition to the information on students, the site contained the Princeton Review’s educational materials for the LSAT, PSAT and SAT exams, course schedules, an internal analysis of the effectiveness of the company’s instructors, and the entire texts of some Princeton Review books, like the 2008 edition of "Cracking the LSAT."
[Evan] The breach did not only expose personal information, but it also exposed proprietary information.
One folder on the Web site gave unusual insight into how test preparation companies use older exams to prepare their practice tests.
The folder contained digital scans of eight official SATs and six PSAT exams from 2005 through 2007.
The tests are created by the Educational Testing Service, a nonprofit organization in Princeton, N.J.
[Evan] Copyright infringement?
An accompanying guide for Princeton Review exam writers, dated January 2008, said that the company’s "current SAT course diagnostic tests are not as reflective of the real E.T.S. tests as they should be." It then described "spiraling," or writing a new practice question based on an old question from the official test. The document instructs authors to avoid copyright infringement by obeying the "three word rule" - ensuring that no three consecutive words remain the same.
Ray Nicosia, the executive director of test security for the Educational Testing Service, said the company had retired the exams that were made available on the Princeton Review Web site and now sells them to tutorial companies. He said he would need more information to determine whether the Princeton Review had properly attained and used the exams.
In this case it would have made sense for the company to separate information such as the names of the students from their test scores and whatever confidential information the company had," said Mike Haro, an analyst at Sophos, an Internet security firm. "But we are finding that companies today don’t change until they have experienced the pain of a data breach that is exposed to the public."
[Evan] Sad but true and also a poor business decision. I remember reading a study cited by Michigan State School of Criminal Justice that stated something to the effect that every dollar spent on information security prevention leads to a potential savings of seven. Too many organizations still have the "it will never happen to me" or the "we have gotten by this long without it (security)" mentality, which in my opinion is seriously flawed.
Commentary:
This should be a very embarrassing incident for The Princeton Review and should be a good example for other organizations of what could happen if information security is not managed well in throughout the business.
Does this breach require a notification to the affected persons?
Past Breaches:
Unknown
Date Reported:8/18/08
Organization:
The Princeton Review
Contractor/Consultant/Branch:
"a new Internet provider"
Victims:
Students
Number Affected:
"tens of thousands", at least 108,000
Types of Data:
Names, dates of birth, ethnicities, learning disabilities, test scores, and other personal information. This breach also exposed a significant amount of confidential organization information including educational materials, internal communications, course schedules, internal analysis, instructor evaluations, proprietary book texts, and other sensitive internal information.
Breach Description:
"The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks."
Reference URL:
The New York Times
Report Credit:
Brad Stone, The New York Times
Response:
From the online source cited above:
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.
A flaw in configuring the site allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications.
[Evan] Does "on the company's computer network" mean the same as their internal network? What kind of configuration would allow this type of access? Network and information resource segmentation is one of the most basic information security principles and it is very easy to design. This is a pretty significant blunder.
Another test-preparatory company said it stumbled on the files while doing competitive research.
[Evan] How embarrassing!
This company provided The New York Times with the Web address of the internal files on the condition that it not be named.
[Evan] The Princeton Research would surely like to know who the "not to be named" competitor is. This is a twist in the story that will likely go on for sometime although it is irrelevant to the fact that The Princeton Research made a significant mistake in their care of confidential information.
The Times informed the Princeton Review of the problem on Monday, and the company promptly shut off access to that portion of its site.
One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla., where the Princeton Review was hired to build an online tool to help the county measure students’ academic progress.
The file included the students’ birthdays and ethnicities, whether they had learning disabilities, whether English was their second language, and their level of performance on the Florida Comprehensive Assessment Test, which is given to students in grades 3 to 11.
[Evan] This information in the wrong hands has the potential to be very damaging to the victims.
Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va., which had hired the Princeton Review to measure and improve student performance.
The Princeton Review said the student information should have been protected by a password, but that the protection was most likely lost when the company moved its site to a new Internet provider in late June.
[Evan] This is one strong reason why it is critical that information security personnel get involved with moves/adds/changes. It is apparent that there was not adequate information security review and testing on at least two points, access control (no password) and network/resource segmentation (not effective or non-existent).
The company said it was looking into how many people might have accessed the files, some of which could be found through search engines.
"As soon as I found out about this security issue we acted immediately to shut down any access to this information," said Stephen C. Richards, the company’s chief operating officer. "The Princeton Review takes Internet privacy seriously, and we are currently conducting a review of all of our procedures."
[Evan] Stating that you take privacy and information security seriously and demonstrating it through sound business decisions and actions are entirely different. Most business leaders would state that they take security seriously, yet many don't have demonstrable evidence to back it up. Business leaders don't necessarily need to know the details about how information is protected in their organizations, but they should be aware of the "program" and the strategic initiatives. Let's hope that The Princeton Review's review of all procedures is an ongoing repeatable effort and not a one-time response.
Natalie Roca, executive director for research and testing at the Sarasota County public schools, said she was "surprised and troubled" by the release of the student data. She said the student information the county gave to the Princeton Review to build the testing tool was strictly confidential.
In addition to the information on students, the site contained the Princeton Review’s educational materials for the LSAT, PSAT and SAT exams, course schedules, an internal analysis of the effectiveness of the company’s instructors, and the entire texts of some Princeton Review books, like the 2008 edition of "Cracking the LSAT."
[Evan] The breach did not only expose personal information, but it also exposed proprietary information.
One folder on the Web site gave unusual insight into how test preparation companies use older exams to prepare their practice tests.
The folder contained digital scans of eight official SATs and six PSAT exams from 2005 through 2007.
The tests are created by the Educational Testing Service, a nonprofit organization in Princeton, N.J.
[Evan] Copyright infringement?
An accompanying guide for Princeton Review exam writers, dated January 2008, said that the company’s "current SAT course diagnostic tests are not as reflective of the real E.T.S. tests as they should be." It then described "spiraling," or writing a new practice question based on an old question from the official test. The document instructs authors to avoid copyright infringement by obeying the "three word rule" - ensuring that no three consecutive words remain the same.
Ray Nicosia, the executive director of test security for the Educational Testing Service, said the company had retired the exams that were made available on the Princeton Review Web site and now sells them to tutorial companies. He said he would need more information to determine whether the Princeton Review had properly attained and used the exams.
In this case it would have made sense for the company to separate information such as the names of the students from their test scores and whatever confidential information the company had," said Mike Haro, an analyst at Sophos, an Internet security firm. "But we are finding that companies today don’t change until they have experienced the pain of a data breach that is exposed to the public."
[Evan] Sad but true and also a poor business decision. I remember reading a study cited by Michigan State School of Criminal Justice that stated something to the effect that every dollar spent on information security prevention leads to a potential savings of seven. Too many organizations still have the "it will never happen to me" or the "we have gotten by this long without it (security)" mentality, which in my opinion is seriously flawed.
Commentary:
This should be a very embarrassing incident for The Princeton Review and should be a good example for other organizations of what could happen if information security is not managed well in throughout the business.
Does this breach require a notification to the affected persons?
Past Breaches:
Unknown
Posted by Evan Francen at 8/19/2008 11:33 AM 
Categories: Poor Business Practice, The Princeton Review
Categories: Poor Business Practice, The Princeton Review
Posts Atom 1.0
Why has the business community as well as the governmental community not received the message that confidential information needs to be protected. No governmental prosecution (civil or criminal) to speak of has occurred to date or looks to be forthcoming in the bear future. If this continues and continues how can people in good faith attack allegedly "greedy" trial lawyers who bring actions to get the attention of the business community,and try to rectify these problems. What other redress do affected persons have?
In my personal opinion, further and further centralization and consolidation of data bases is a certain path to the ultimate total loss of privacy and security.
Reply to this
Evan: The whole question of what does and does not constitute a security "breach" is open to legal debate. (The reason for the debate is that virtually all data are exposed to one degree or another at all times.) One might argue that there was no meaningful breach at Princeton Review until the NY Times was informed. Hence, one might argue, the competitor caused (or contributed to) the breach! Liability? What do you think? --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Reply to this