A data breach on the website TotalRegistration.net, used by 22 Montgomery County high schools to register for AP and PSAT testing, may have exposed students’ personal information.
According to a statement from Montgomery County Public Schools (MCPS) that was sent to affected students and parents, the website notified MCPS on May 10 that a “security incident” had occurred on April 11 that “may have been exposed due to a misconfiguration” on its data storage platform. MCPS was notified that the exposed information could include students’ names, birthdays, addresses, phone numbers and the last four digits of their Social Security numbers. The MCPS statement notes that not all students were required to submit all of these details when they registered for a test.
“The data that may have been exposed did not include social security numbers, credit card numbers, or other financial information,” it stated.
According to the press release, TotalRegistration.net received an email from a journalist on April 11 pointing out that the website’s file storage area was misconfigured. The storage area contains various types of documents that schools use with information about students registered for exams.
“All school-generated reports or student-generated confirmations were only accessible for 48 hours after the applicable file or confirmation was generated,” according to the MCPS statement “After 48 hours, each report or confirmation would automatically be deleted. It is important to note that based upon our investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible.”
According to the release, information from test registrations starting in June 2016 through April 12, 2019 would have been accessible during this 48-hour window.
TotalRegistration contracts with individual schools to set up registration for the exams.
TotalRegistration representatives wrote on their website that they are working with third-party experts to “review its platform” in order to ensure the incident does not happen again.
MCPS’s statement said the school system asked the website’s creators “numerous questions” about how much data was exposed, how many times it was accessed and other details, but that “the vendor has yet to supply any helpful information.” The school system will “reevaluate” the process by which schools register for AP exams at the end of the school year.
The schools that do not use TotalRegistration are Poolesville High School, Thomas Edison High School of Technology and Watkins Mill High School according to TotalRegistration’s online database.
Parents and students who need more information about whether they might have been affected are encouraged to email the incident dropbox at TR-Databreach@mcpsmd.org.
Dan Schere can be reached at Daniel.schere@moco360.media