Financial data is safe, processed by third party

Oct 23, 2014 11:45 GMT  ·  By

A flaw in the design of the NeedMyTranscript.com website allowed personally identifiable information of 98,818 visitors to become publicly available, affected individuals running identity theft risk.

A notification from the administrators of the website has been posted, offering scanty details about the flaw causing the exposure and the type of data that could be accessed online without authentication.

Internal subdirectory with the data could be accessed online

They say that no sign of malicious activity has been found during the investigation following the discovery of the flaw and that no financial details have been impacted because these are processed through a third-party payment service (PayPal).

“NeedMyTranscript does not store customer high school transcripts, credit card numbers or full social security numbers on our website,” it is said in the announcement.

However, an investigation from Washington Post revealed that names, addresses, e-mail addresses, phone numbers, dates of birth, mothers' maiden names and the last four digits of the users' Social Security numbers suffered unnecessary exposure; this could have lasted since the website was launched in 2012.

Moreover, NeedMyTranscript was not aware of the defective design until Washington Post alerted them as a result of a tip from one of their readers.

It appears that a link to a subdirectory containing all the data became visible in a log-in error message.

The company states that the glitch has been fixed within hours after it was uncovered, and that such an error should no longer affect its visitors.

Another step taken by NeedMyTranscript was to contract the services of a cyber-security firm to investigate the matter and provide advice about stronger data security.

Service covers 50 states and more than 18,000 high-schools

“We also do not believe that any customer information was accessed by someone intending to commit identity theft, although our investigation continues. We look forward to implementing appropriate recommendations from the cybersecurity firm and continuing to provide efficient service to our customers,” the disclosure announcement reads.

NeedMyTranscript accepts transcript requests from 50 states in the US and covers over 18,000 individual high-schools. The business consists in the automation of the process of requesting student records and authorizing pertinent entities to release them to agencies, educational institutions, employers or any other individual specified by the customer.

Handling or storing records provided by the schools to the students is not a part of their service. The business just intermediates access to student records by submitting all requests and handling the delivery of the information to the customer.

All the client has to do to get the document is authorize its release and cover the shipping fees.