Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:12 PM
Connect Directly

Princeton Review Security Flaw Outed By Competitor

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review's Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported. To find out more about managing risk this year, InformationWeek quizzed nearly 2,000 IT professionals about their plans and priorities for securing their companies' assets. Download the 2008 report here (registration required).

Indeed, hardly a week goes by without the report of a data breach.

On Monday, Richmond, Va.-based Dominion Enterprises disclosed that a computer in its InterActive Financial Marketing Group division was accessed by a hacker between November 2007 and February 2008. As a result, the names, addresses, birth dates, and Social Security numbers of the company's more than 92,000 online credit seekers may have been exposed.

"We have identified what system was compromised and how," a company spokesperson said in an e-mail. "In order to best protect our security systems, I cannot share more details with you about the intrusion."

And on Tuesday, The Irish Times reported that the personal details of 17,000 members of the Institute of Chartered Accountants in Ireland were inadvertently published online as a result of a Web site redesign.

The good news for those affected is that the Government Accountability Office last year found that data breaches seldom lead to identity theft. Out of the 24 largest publicly reported breaches between January 2000 and June 2005, the GAO found evidence of fraud in three of the incidents and evidence of unauthorized account creation in one of the incidents.

What's remarkable about the Princeton Review breach is that one of the testing company's competitors told The New York Times about the hole, under the condition that it not be named.

"It's interesting that this competitor chose to go to a major media outlet about this rather than drop a quiet note to the Princeton Review," said Graham Cluley, senior technology consultant at Sophos, a message security firm. "Clearly they were intending to get some commercial advantage out of this. I think there's a message here for other companies: It's not just hackers that may find a security hole; it's competitors, too."

Phil Neray, VP marketing at Guardium, a database security firm, remains skeptical that other companies are likely to engage in the counter-marketing of rivals. He said it would be hard for him to imagine that, for example, Dell might point out a security hole in HP's Web site. "It sounds like [the testing industry] is a very competitive industry and that's why this happened there," he said.

Cluley said that companies need to understand that if they have sensitive information, they need to take steps to protect it. He added that companies should really only collect information they need and that they should delete data after it is no longer needed.

According to Neray, the problem lies in management. "Boards of directors and management teams have not made [data protection] a priority in many, many companies," he said. "The reason why this has to come from the top is that in many cases you're asking business units to change bad business practices. And you need budgets [to invest in database protection]."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.