In January 2020, a security researcher discovered an exposed server belonging to Front Rush, an athlete-recruiting software company offering solutions to more than 9,500 college teams at over 850 institutions across the United States.
The initial report was kept low key, and it appears that the unsecured server contained over 700,000 files including medical records, performance reports, driver’s licenses and other personal identifiable information of college athletes.
Yesterday, however, Front Rush disclosed that it has started informing potentially affected individuals about the security incident that was overlooked 7 months ago.
According to the data breach notification, “on or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets (“the S3 bucket”) was publicly accessible from the internet.”
The company said the S3 bucket contained:
• Attachments uploaded by the college institutions such as transcripts, injury reports, or athletic reports)
• Attachments that were uploaded by student athletes, prospective student athletes or their parents/guardians
As disclosed by the report, the type of personal information exposed varied by individuals. However, Front Rush reveals that data sets may have included first and last names, date of birth, Social Security number, Driver’s License Number/State ID Number, student ID number, passport number, other ID number, financial account information, payment card information, mother’s maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers and other health insurance information.
The company claims that, upon learning of the event, it immediately opened an investigation alongside third-party security experts. It appears that the S3 bucket housing the database was publicly accessible between January 18, 2016 and January 8, 2020.
While the report says there is “no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data.”
College institutions were notified on June 15, and letters to potentially impacted individuals for whom address information was available were sent out starting with July 27.
It’s unclear why the company waited to notify affected individuals. However, the company hinted that they were waiting on the results of the data mining investigation before publicly disclosing impacted athletic departments across the country.
“To date, Front Rush has not received any reports that personal information has been misused as a result of this incident,” the notification reads.
The data breach could have serious consequences for athletes, parents and guardians. Even if there is no evidence that the unsecured data was accessed by malicious actors, the fact that the server was left unprotected for four years leaves room for serious debate.
Victims should be aware that, with such a variety of exposed personal identifiable information (PII), the chances of identity theft are high. As such, “Front Rush encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, promptly change any involved account passwords, and to review account statements, and credit reports for suspicious activity.”
The company has also provided credit monitoring to individuals who had a Social Security Number or Driver’s License Number/State ID exposed and notified state regulatory authorities.