Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/19/2008
06:12 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Princeton Review Security Flaw Outed By Competitor

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review's Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported. To find out more about managing risk this year, InformationWeek quizzed nearly 2,000 IT professionals about their plans and priorities for securing their companies' assets. Download the 2008 report here (registration required).

Indeed, hardly a week goes by without the report of a data breach.

On Monday, Richmond, Va.-based Dominion Enterprises disclosed that a computer in its InterActive Financial Marketing Group division was accessed by a hacker between November 2007 and February 2008. As a result, the names, addresses, birth dates, and Social Security numbers of the company's more than 92,000 online credit seekers may have been exposed.

"We have identified what system was compromised and how," a company spokesperson said in an e-mail. "In order to best protect our security systems, I cannot share more details with you about the intrusion."

And on Tuesday, The Irish Times reported that the personal details of 17,000 members of the Institute of Chartered Accountants in Ireland were inadvertently published online as a result of a Web site redesign.

The good news for those affected is that the Government Accountability Office last year found that data breaches seldom lead to identity theft. Out of the 24 largest publicly reported breaches between January 2000 and June 2005, the GAO found evidence of fraud in three of the incidents and evidence of unauthorized account creation in one of the incidents.

What's remarkable about the Princeton Review breach is that one of the testing company's competitors told The New York Times about the hole, under the condition that it not be named.

"It's interesting that this competitor chose to go to a major media outlet about this rather than drop a quiet note to the Princeton Review," said Graham Cluley, senior technology consultant at Sophos, a message security firm. "Clearly they were intending to get some commercial advantage out of this. I think there's a message here for other companies: It's not just hackers that may find a security hole; it's competitors, too."

Phil Neray, VP marketing at Guardium, a database security firm, remains skeptical that other companies are likely to engage in the counter-marketing of rivals. He said it would be hard for him to imagine that, for example, Dell might point out a security hole in HP's Web site. "It sounds like [the testing industry] is a very competitive industry and that's why this happened there," he said.

Cluley said that companies need to understand that if they have sensitive information, they need to take steps to protect it. He added that companies should really only collect information they need and that they should delete data after it is no longer needed.

According to Neray, the problem lies in management. "Boards of directors and management teams have not made [data protection] a priority in many, many companies," he said. "The reason why this has to come from the top is that in many cases you're asking business units to change bad business practices. And you need budgets [to invest in database protection]."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...