Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:12 PM
Connect Directly

Princeton Review Security Flaw Outed By Competitor

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review's Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported. To find out more about managing risk this year, InformationWeek quizzed nearly 2,000 IT professionals about their plans and priorities for securing their companies' assets. Download the 2008 report here (registration required).

Indeed, hardly a week goes by without the report of a data breach.

On Monday, Richmond, Va.-based Dominion Enterprises disclosed that a computer in its InterActive Financial Marketing Group division was accessed by a hacker between November 2007 and February 2008. As a result, the names, addresses, birth dates, and Social Security numbers of the company's more than 92,000 online credit seekers may have been exposed.

"We have identified what system was compromised and how," a company spokesperson said in an e-mail. "In order to best protect our security systems, I cannot share more details with you about the intrusion."

And on Tuesday, The Irish Times reported that the personal details of 17,000 members of the Institute of Chartered Accountants in Ireland were inadvertently published online as a result of a Web site redesign.

The good news for those affected is that the Government Accountability Office last year found that data breaches seldom lead to identity theft. Out of the 24 largest publicly reported breaches between January 2000 and June 2005, the GAO found evidence of fraud in three of the incidents and evidence of unauthorized account creation in one of the incidents.

What's remarkable about the Princeton Review breach is that one of the testing company's competitors told The New York Times about the hole, under the condition that it not be named.

"It's interesting that this competitor chose to go to a major media outlet about this rather than drop a quiet note to the Princeton Review," said Graham Cluley, senior technology consultant at Sophos, a message security firm. "Clearly they were intending to get some commercial advantage out of this. I think there's a message here for other companies: It's not just hackers that may find a security hole; it's competitors, too."

Phil Neray, VP marketing at Guardium, a database security firm, remains skeptical that other companies are likely to engage in the counter-marketing of rivals. He said it would be hard for him to imagine that, for example, Dell might point out a security hole in HP's Web site. "It sounds like [the testing industry] is a very competitive industry and that's why this happened there," he said.

Cluley said that companies need to understand that if they have sensitive information, they need to take steps to protect it. He added that companies should really only collect information they need and that they should delete data after it is no longer needed.

According to Neray, the problem lies in management. "Boards of directors and management teams have not made [data protection] a priority in many, many companies," he said. "The reason why this has to come from the top is that in many cases you're asking business units to change bad business practices. And you need budgets [to invest in database protection]."


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...