Total Registration LLC (“Total Registration”) facilitates exam registration for our students, including Advanced Placement, PSAT/NMSQT and International Baccalaureate examinations.
On the evening of April 11, 2019, Total Registration was informed of a misconfigured file system by a security researcher and reporter who wanted to make sure that Total Registration’s information was not improperly accessed or misused.
Upon receipt of this information, Total Registration immediately investigated and remedied the issue by April 12, 2019. As part of that investigation, Total Registration discovered that one of its developers misconfigured a setting within its Amazon S3 file storage service. Total Registration uses this S3 file storage service to store reports and registration confirmations created by its users. As a result of that configuration, certain files (.pdf, .csv, .doc) that individual schools can create from reports, which list information about students registered for exams, and copies of registration confirmations generated by individual registrants, may have been available to individuals with knowledge of S3 system architecture who accessed the URL for the Total Registration S3 file storage.
All school-generated reports or student-generated confirmations were only accessible for 48 hours after the applicable file or confirmation was generated. After 48 hours, each report or confirmation would automatically be deleted. It is important to note that based upon Total Registration’s investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible. If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3. Total Registration set up the S3 file storage service in June 2016, so any files that were created between June 2016 and April 12, 2019 would have been accessible during the 48-hour window between that file’s creation date and its automatic deletion by Total Registration.
The data that may have been exposed was limited to certain information used to register for Advanced Placement, PSAT/NMSQT and International Baccalaureate exams, based on how individual schools conducted registrations and ran their reports. Those reports may have included student registration information that students provided when registering for a test, such as name, IB candidate category, grade level, student id, sex, date of birth, address, email address, and parent/guardian names and email addresses. The data that may have been exposed did not include any social security numbers, credit card numbers, or other financial information. It also did not include any medical information, passwords or login information, or any test results or scores.
Except for the reporter/researcher who notified Total Registration of the misconfigured server, it is not aware of (nor is there any evidence of) any third-party access to the information that may have been exposed as a result of this incident.
Total Registration immediately reconfigured its settings for its file storage system to correct the problem. It has also deleted any remaining files in the S3 file storage service that had been retained due to the misconfigured setting. Total Registration is working with third-party experts to review its platform to make sure that this type of incident does not happen again. It is also implementing additional security measures designed to prevent a recurrence of such an incident.