Data breach: Personal information of Central Kentucky students may have been exposed

A company that facilitates registration for tests such as Advanced Placement and the PSAT for all six of Lexington’s high schools and other schools in Central Kentucky has announced that students’ personal information might have been exposed in a data breach.

A May 31 email about a “data security incident” sent from the Colorado-based Total Registration LLC to Lafayette High School parents is similar to what other families throughout Central Kentucky received, according to several school district officials. The email said the company was notified by a journalist that a misconfigured server allowed for the “potential unauthorized access to some of the information that Total Registration stores on its systems. “

“It’s an unfortunate situation,” said Woodford County Superintendent Scott Hawkins. “We did send an email the students and to the parents of those students who may have been impacted.”

According to its website, Total Registration helps high schools automate and organize Advanced Placement, PSAT/NMSQT and International Baccalaureate exam registration. Students register for their high school’s tests using an online form customized for their school.

Total Registration recently sent a “Notice of Data Security Incident” to all of its client schools.

Total Registration staff did not immediately comment. But a message on the company website includes several questions and answers about the possible data breach.

Information that could have been exposed included names of students and parents, date of birth, language, grade level, sex, student ID, last four digits of Social Security Number of International Baccalaureate registrants only, and the physical address, email addresses, and phone numbers of students and/or parents, and ethnicity, a message on Total Registration’s website said.

The data that may have been exposed did not include any full social security numbers, credit card numbers, or other financial information.

Given the types of information that may have been accessible as part of this incident, we do not believe that there is a risk of identity theft or harm from this incident,” the email to families said. “However, we encourage you to take usual prudent precautions with your personal data.”

“You should not open email from any unknown sender. You should never open untrusted web links. You should never provide personal information via email or over the phone to any unverified entity. Total Registration will never contact families to update financial information or to provide additional information,” the email said.

Fayette County Public Schools spokeswoman Lisa Deffendall said that “all six of our high schools use Total Registration to help families individually register their students to take College Board exams, such as Advanced Placement tests or the PSAT/NMSQT.”

“Our schools have notified individual families who may have been impacted, but the district cannot speak directly to the issue because the problem was not related to security of data held by the Fayette County Public Schools,” Deffendall said.

Deffendall said Fayette County does not use the service when registering all students as a group, such as when the district paid for all sophomores to take the PSAT or ACT as recently as last school year.

Who could have been affected?

Students at schools that have used Total Registration for Advanced Placement, International Baccalaureate, and PSAT/NMSQT exam registrations that completed a registration and either the student or school user requested a file to be created for download or printing could have had that information in the created file temporarily held in an Amazon folder that was misconfigured, the company website said.

On Total Registration’s website, several Kentucky schools are noted as using the company’s services in 2019.

Hawkins said his Woodford County district has provided families with information so that they know what happened and “what it means and what actions were taken to correct the issue.”

Hawkins said his district staff had heard from a parent who wanted more information.

“We’re going to try to direct them back to the company,” he said.

Scott County Public Schools spokeswoman Renee Holmes said “Scott County High School did use the company in question for registration for AP (Advanced Placement) tests. The school was notified by email and the company indicated that they notified all parents impacted directly.”

In Nicholasville, Jessamine County Superintendent Matt Moore said that in notifying parents, “Jessamine County is using the same wording which was recommended by Total Registration.”

Outside of Kentucky, Montgomery County,Maryland Public Schools officials notified parents about the data breach. In a May 23 statement, district officials said “while the vendor states that they have no evidence of any third party (aside from the journalist) accessing data, they are unable to state with certainty that the data hasn’t been accessed by others. The vendor states that there are no transaction/audit logs to verify this claim.”

In Connecticut, the Hartford Courant reported that West Hartford school district officials announced the data security incident.

“We have already engaged a data security specialist to review our current system and further update our security and internal audits and logs,” Total Registration officials said in the statement on their website. “We will continue to work with them to address security issues that they find, and we will conduct additional penetration testing to ensure that this type of incident does not occur again. “