Bernard Meyer reports:
We recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information.
Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.
The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students’ athletic achievements, messages from students to coaches, and other recruitment materials.
So CyberNews reached out to them to notify them of the leak to try to get it locked down. They got no reply, so they contacted Amazon Abuse, who have really gotten much better about reaching out to their customers quickly to lock things down.
But while CaptainU secured the index, the files themselves are reportedly still available. CyberNews reports:
Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available.” But it seems that CaptainU never mentioned this fact to the students or their parents.
Read more on CyberNews.
Did CaptainU fail to appropriately explain how their data would be shared or used? Or did parents just click through without carefully reading? Let’s look at part of their Privacy Policy:
3. SHARING OF YOUR INFORMATION
We may share your personal information in the instances described below. For further information on your choices regarding your information, see the “Your Choices About Your Information” section below.
Remember, our Service allows you to connect with others and share information about yourself with other individuals and organizations. Your profile information, including your name, photo, and other personal information, will be available publicly to other members of the Service by default and may be searchable by search engines which may display certain of your information publicly. If you are an athlete on CaptainU, you may be able to adjust your profile settings to entirely prevent the general public from viewing your profile, though it will remain visible to other users of the Service. Also, remember that organizations and other third parties that use CaptainU Services may have their own data collection and use policies that CaptainU does not control, even in situations where CaptainU may access or maintain such data on behalf of the organization. Please review the privacy policies of any third party organization before sharing your personal information with that organization.
We may also share your personal information with:
A. Other companies owned by Stack Sports or under common ownership with CaptainU. These companies will use your personal information in the same way as we can under this policy;
B. Third-party vendors and other service providers that perform services on our behalf, as needed to carry out their work for us, which may include identifying and serving targeted advertisements, billing, payment processing, content or service fulfillment, or providing analytic services;
C. Trusted business partners who may use your information to contact you about opportunities that may be of interest to you.
D. Other users of the CaptainU Service. Your information, including both information you provide and information we have collected about you from other users, may be searchable by or made available to other users of the Service. These users may contact you via email or, with your consent, via SMS/text messages. Once your information has been shared with another user of the Service, that user may use and maintain copies of your information outside of the Service. You may be able to control some elements of data sharing through your settings.
E. With colleges and universities. CaptainU may disclose your personal information directly or via a third party to representatives of accredited colleges and universities that you have indicated you are interested in attending, as well as to representatives of other accredited colleges and universities that CaptainU and/or our business partners may be of interest to you.
F. The public. Any information that you voluntarily disclose for posting to the Service is viewable by other users and the public. For example, a tournament director may print a list of athletes at an event and distribute that list to tournament attendees who may or may not be members of the Service.
G. Other parties in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party or in the event of a bankruptcy or related or similar proceedings; and
H. Third parties as required by law or subpoena or to if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to enforce our Terms of Use http://captainu.com/terms or to protect the security or integrity of our Service; and/or (c) to exercise or protect the rights, property, or personal safety of CaptainU, our Users, or others.
We may also aggregate or otherwise strip data of all personally identifying characteristics and may share that aggregated, anonymized data with third parties.
Their privacy policy was last updated on June 10, 2020 — the day after they locked down the index. Was it the same before then? Thanks to the miracles of archiving, we can determine that yes, that section of their privacy policy was the same on June 9. In fact, it was the same back in 2017 — including the use of boldface to emphasize the default sharing of information.
This may be a case of people not really spending the time to understand what they are consenting to. Or maybe this is yet another example of why notice and consent are not a good look for privacy any more. But it seems that what CaptainU does is consistent with what its privacy policy indicated it would do. So yes, it may have failed to lock down its bucket, and I don’t know if that left files writable or not, but in terms of making information publicly available, well, it turns out the site does make it publicly available anyway.