Report: Princeton Review Publishes Sensitive Data Online

Error made student birth dates, test scores public for weeks

The Princeton Review is the latest company hit with a data breach that is making headlines. The New York-based educational service and test preparation provider inadvertently exposed files on at least 100,000 students in Sarasota, Florida and Fairfax County, Virginia through its website.

News of the breach was made public Tuesday morning by a report in the New York Times.

Files were exposed after the company switched Internet service providers earlier this year. The sensitive information, which included personal data such as names, birth dates, ethnicities and learning disabilities, along with test performance, were easily accessed through a simple web search and were available for at least seven weeks, according to the report. None of the information was password protected and was intended only to be viewed by Princeton Review authors.

Princeton Review officials told The NYT that access to the information was immediately shut down as soon as the company was informed about the problem.

"This brings up two big questions," said Graham Cluley, a senior technology consultant with IT security and control firm Sophos. "Are companies doing enough to protect their data and also do companies really need to be keeping all of this kind of data?"

The flaw was discovered by a competing test preparation firm. The competitor contacted the NYT with the story, according to Cluley, who said the play-out points to the high stakes now involved with a data breach.

"If companies haven't heard this before, it's a huge reminder that security is important not just for your customers, but for your reputation."

While the publishing of birth dates may not seem like a massive leak, Cluley said the information is a good stepping stone for someone attempting to steal an identity.

This is the second time in a month a public breach has involved birth dates. A glitch in a test version of social networking site Facebook inadvertently exposed the birthdays of its 80 million members last month. The bug was discovered by Cluley who was checking out Facebook's new design when he noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden.

"The fact that the people affected by this latest breach were children I think adds to the general background radiation about security, or lack thereof, of peoples' data on the web," said Cluley.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies