School Accreditation Organization Data Breach Exposed Sensitive Information on Students, Parents, and Teachers OnlineCybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet a non-password protected database that contained 680k records. Upon further investigation, it was identified that these records were related to educational institutions. Documents inside the database suggested that it belonged to the Southern Association of Independent Schools, Inc (SAIS).
In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records, to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered. The database contained a diverse collection of sensitive records that, when exposed, could unlock a wide range of potential risks. The files included multiple types of student and teacher records, health information, teacher background checks and social security numbers (SSN), active shooter and lockdown notifications, maps of schools, financial budgets, and much more. The documents ranged in date from 2012-2023.
One of the most interesting things I saw was third-party security reports marked as confidential that reviewed weaknesses in school security, locations of cameras, access and entry points, and more. These documents could pose a potentially serious real world security risk to the safety of students and teachers. I immediately sent a responsible disclosure notice to SAIS and received a reply thanking me for the notification and promising that they would take action. The database was quickly secured from public access.
Southern Association of Independent Schools, Inc (SAIS) is a non-profit organization that supports schools and educators in the United States and several other countries. SAIS has been in operation for over 40 years. According to its website: [With] more than 380 member K-12 schools from 14 U.S. states, the Caribbean, and Latin America (representing 220,000+ students), SAIS is the largest regional independent school association in the country.
It is my understanding that the SAIS accreditation requires a broad range of detailed information from each school. The documents I saw in the database indicate possible requirements that include the following:
The school’s purpose, values, and educational philosophy.
Curriculum maps, course catalogs, scope and sequence documents, and other materials that outline the educational program offered.
Faculty credentials, qualifications, degrees, certifications, background checks, and professional development records.
Student and faculty guidelines, policies, and procedures related to student conduct, academic integrity, disciplinary actions, and faculty responsibilities.
Documentation related to the school’s financial statements, budget reports, or other financial records.
Information about the school’s facilities, safety protocols, emergency response plans, building codes, and health department regulations.
Contact details of parents or guardians and emergency notifications.
Health-related data, including medical history, immunization records, allergies, and any special accommodations or health concerns that may affect a student’s well-being at school.
What the database contained
Total number of records: 682,438 with a total size of 572.8 GB.
Documents were in a wide range of formats, including: PDF, Excel, PPTX, doc, docx, png, jpg, pages, and more.
Internal documents from multiple schools and educational institutions, which contained personally identifiable information (PII) and private medical information of students.
Teacher, faculty, and staff information such as qualifications, interviews, background checks, drug and alcohol testing, salary information, and more.
Other notable documents included budgets and financial reports, vehicle registrations, insurance policies, tax records, training documents, manuals, and other miscellaneous guides or certificates.
This screenshot shows one of many student allergy documents marked as confidential that exposed the student’s name, picture, class, teacher, and what they are allergic to.This screenshot shows a student’s medical information and personal data. It also gives details on how to reach the student’s parents and other emergency contacts.This screenshot shows what vaccines students have been given and which ones they are still required to obtain.This screenshot shows a scanned copy of a background check request that contained PII, including the person’s SSN. These were used for school staff to obtain clearance for employment.This screenshot shows a small section of a document named “personnel checklist” showing state police and FBI background checks.This screenshot shows part of a document that tells educators what to do in case of an emergency. This information should be strictly for school staff only, as it could potentially be exploited by an attacker. In the event of a terrorist act, a perpetrator with access to this document would know exactly what teachers and students are instructed to do and plan accordingly.This screenshot shows a budget breakdown of an accredited school. Knowing the financial status of a school could potentially make them a target for criminals. For example, schools with large budgets could be prioritized for financial crimes, whereas smaller schools with less funding would probably be less attractive for perpetrators as potential targets.This screenshot shows a loan agreement between a school and a bank. This could have potential risks for a man-in-the-middle attack where a criminal pretends to be the bank or the loan applicant and tries to obtain more information or even a loan in the school’s name.Exposed School Records Pose Significant Potential Risks This database was a potential gold mine for criminals on many levels. The vast scope of records would allow for various types of delinquency, ranging from simple extortion all the way up to identity theft or other financial crimes, such as a more complex man-in-the middle scheme. For instance, some of the records I saw included tax documents that contained the legal entity information, tax ID number, and even loan agreements. Hypothetically, criminals would be able to provide all necessary information to apply for a loan or obtain credit in the school’s name. The criminal could potentially have account numbers and information that only authorized individuals with inside knowledge would have access to.
The possible risks associated with a single school data breach is bad enough, but in this case there were a large number of documents and records from multiple schools stored in a single database. Educational institutions collect a wide range of personal data that is necessary to enroll students, do educational reporting, and employ staff. PII is essential for enrollment, communication and identification purposes, but it also could pose a substantial risk in the event of a data breach.
I highly recommend schools, educational institutions, and accreditation organizations take all possible steps to mitigate the risks of a data breach. First of all, they should implement basic cybersecurity measures, such as firewalls, encryption, and multi-factor authentication. Educational institutions should also train staff on cybersecurity best practices and develop an incident response plan to address data breaches if they occur.
We imply no wrongdoing by the Southern Association of Independent Schools, Inc (SAIS) or the affiliated institutions, nor do we imply that the data of teachers, students, or parents was necessarily at risk during the exposure. It is unclear how long the database was publicly exposed or if anyone else gained access to these documents. We publish our findings to raise awareness and identify critical cyber security vulnerabilities or data exposures. As an ethical security researcher, I never download or store sensitive documents, and I only take a limited number of redacted screenshots for verification purposes. Schools and other educational institutions are required to comply with data protection laws such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). SAIS acted fast and professionally to secure the database and thanked me for my responsible disclosure notification. It is unclear if the potentially affected individuals or authorities have been notified of the data exposure.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
