Take usual prudent precautions with your personal data as normal. You should not open email from any unknown sender. You should never open untrusted web links. You should never provide personal information via email or over the phone to any unverified entity. Total Registration will never contact families to update financial information or to provide additional information.
Schools and students at schools that have used Total Registration for Advanced Placement, International Baccalaureate, and PSAT/NMSQT exam registrations that completed a registration and either the student or school user requested a file to be created (.pdf, .doc, .xls, etc.) for download/printing could have had that information in the created file temporarily held in an Amazon folder that was misconfigured.
Information that was accessible during this incident was only information contained in reports run by authorized school personnel or confirmations from student registrations. Additionally, based upon our investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible for a 48-hour window. After 48 hours, the files were deleted from S3. If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3.
The information contained in these reports could have included:
The following information would NOT have been stored on our Amazon Web Services S3 file storage service.
On the evening of April 11, 2019, we received an email from an individual that stated that she was a journalist. She informed us that our Amazon Web Services S3 file storage service, which we use to store reports that are generated by authorized school personnel and students, had a misconfigured setting that could allow unauthorized users with knowledge of the S3 service to access the reports contained in the S3 file system.
Immediately upon receiving this information, we conducted an investigation of the issue. By the next day, April 12, 2019, we updated our configuration settings to correct the problem and deleted any remaining files in the file storage service that had been retained due to the misconfigured setting.
We have notified all of our customers of this incident, and we are providing them with an array of support options should they determine that they need to notify students and parents. If you determine that individual notification is required, we have provided a tool on the Total Registration platform to assist you with email notification.
We cannot advise schools about legal obligations. If it is determined that individual notification is required, a tool has been provided on the Total Registration platform to assist with email notification. Please contact Total Registration if you have further questions.
The files created at student or school user request were held in the misconfigured folder for 48 hours after the request and then deleted. The file was vulnerable during the time in the folder but not after deletion after the 48 hours. The Amazon folder was misconfigured at creation in June 2016, so any files that were created between June 2016 and April 12, 2019, would have been accessible during the 48-hour window between that file’s creation date and its automatic deletion by Total Registration. The information contained in the school and user generated reports is a subset of the information students/parents provided during the registration process, which is the information provided to the College Board for license via the exam answer sheets.
At no time was the database accessible. Only those reports that a school user or exam registrant chose to save in .pdf, .csv, or .doc file format were accessible and then only for a period of 48 hours after creation. If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3 and the report was not accessible.
We do not have any evidence that any other parties apart from the reporting party had knowledge of or accessed this information.
We have already engaged a data security specialist to review our current system and further update our security and internal audits and logs. We will continue to work with them to address security issues that they find, and we will conduct additional penetration testing to ensure that this type of incident does not occur again.
Due to the nature of the incident and the type of data that may have been exposed, TR will not provide Identity Protection or Credit Monitoring services.