STUDENTS - Locate your School's Registration Site here. Search For School

Data Security Incident - Frequently Asked Questions

What should I do?

Take usual prudent precautions with your personal data as normal.  You should not open email from any unknown sender.  You should never open untrusted web links.  You should never provide personal information via email or over the phone to any unverified entity. Total Registration will never contact families to update financial information or to provide additional information.

Who is potentially affected?

Schools and students at schools that have used Total Registration for Advanced Placement, International Baccalaureate, and PSAT/NMSQT exam registrations that completed a registration and either the student or school user requested a file to be created (.pdf, .doc, .xls, etc.) for download/printing could have had that information in the created file temporarily held in an Amazon folder that was misconfigured.

What information was involved?

Information that was accessible during this incident was only information contained in reports run by authorized school personnel or confirmations from student registrations. Additionally, based upon our investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible for a 48-hour window.  After 48 hours, the files were deleted from S3.  If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3.

The information contained in these reports could have included:

  • Name (students and/or parents)
  • Date of birth
  • Language
  • Grade level
  • Sex
  • Student ID
  • Last four digits of Social Security Number (International Baccalaureate registrants only)
  • Physical address (students and/or parents)
  • Email addresses (students and/or parents)
  • Phone numbers (students and/or parents)
  • Ethnicity
  • International Baccalaureate candidate category
  • College Board identification number (e.g., SSD)

What information was NOT involved?

The following information would NOT have been stored on our Amazon Web Services S3 file storage service.

  • Social Security Numbers
  • Driver's license numbers/state ID card numbers
  • Passport numbers
  • Military ID numbers
  • Credit/debit card numbers
  • Bank account information
  • Health insurance information
  • Medical information
  • Biometric information
  • Digitized signatures
  • Test/course scores, rankings, etc.
  • Passwords or security questions

How and when did you discover the issue?

On the evening of April 11, 2019, we received an email from an individual that stated that she was a journalist. She informed us that our Amazon Web Services S3 file storage service, which we use to store reports that are generated by authorized school personnel and students, had a misconfigured setting that could allow unauthorized users with knowledge of the S3 service to access the reports contained in the S3 file system.

How did you respond?

Immediately upon receiving this information, we conducted an investigation of the issue. By the next day, April 12, 2019, we updated our configuration settings to correct the problem and deleted any remaining files in the file storage service that had been retained due to the misconfigured setting.

Who have you notified?

We have notified all of our customers of this incident, and we are providing them with an array of support options should they determine that they need to notify students and parents. If you determine that individual notification is required, we have provided a tool on the Total Registration platform to assist you with email notification.

Will Total Registration notify individual students and parents, or will schools have to?

We cannot advise schools about legal obligations. If it is determined that individual notification is required, a tool has been provided on the Total Registration platform to assist with email notification. Please contact Total Registration if you have further questions.

How long would information have been vulnerable?

The files created at student or school user request were held in the misconfigured folder for 48 hours after the request and then deleted.  The file was vulnerable during the time in the folder but not after deletion after the 48 hours. The Amazon folder was misconfigured at creation in June 2016, so any files that were created between June 2016 and April 12, 2019, would have been accessible during the 48-hour window between that file’s creation date and its automatic deletion by Total Registration.  The information contained in the school and user generated reports is a subset of the information students/parents provided during the registration process, which is the information provided to the College Board for license via the exam answer sheets.

Was a database accessible?

At no time was the database accessible.  Only those reports that a school user or exam registrant chose to save in .pdf, .csv, or .doc file format were accessible and then only for a period of 48 hours after creation.  If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3 and the report was not accessible.

Do you have evidence that anyone accessed this information other than the individual that reported the issue to you?

We do not have any evidence that any other parties apart from the reporting party had knowledge of or accessed this information.

What are you doing to make sure that this does not occur again?

We have already engaged a data security specialist to review our current system and further update our security and internal audits and logs. We will continue to work with them to address security issues that they find, and we will conduct additional penetration testing to ensure that this type of incident does not occur again.

Will TR provide Identity Protection or Credit Monitoring services?

Due to the nature of the incident and the type of data that may have been exposed, TR will not provide Identity Protection or Credit Monitoring services.