A glitch in the design code of the NeedMyTranscript.com web-site discovered recently appears to disclose the personal information of almost 100,000 of its visitors to anyone who enters a specific internal directory of the site. The directory was not supposed to be visible and it was discovered by the web-site administrators after a Washington Post press release.
The newspaper’s research on the subject showed that all sorts of personal information could be found on the web-site – names, addresses, e-mail addresses, social security numbers, etc. and their analysis state that this could have been an issue ever since the site started back in 2012. Moreover, it was not noticed by the site administrators themselves, but was pointed to Washington Post by a visitor of the platform who tried to submit his transcript. He got an error message instead, containing a link leading to the troubled directory. The public visibility of that information seems to contradict the web-site’s own privacy policy. ‘The availability of customers’ personal information appears to violate the company’s own privacy policy, which said it had in place “appropriate physical, electronic and managerial procedure to safeguard and secure the information we collect online.’, the Post’s article continues.
‘NeedMyTranscript.com’ is a company that specializes in gathering all sorts of students’ educational records and releases them to third-party authorities upon request – High Schools, agencies, educational institutions, employers, etc. It has records from 50 of the States and includes over 18,000 different universities. The aim of the site is to automate the application process for such institutions, agencies, employers, etc.
The site’s job was not actually storing all the information for the students, but taking it from them and passing it to whoever may be concerned of that information. All the site’s customers had to do is fill in the entire information online, grant its publication and pay transportation costs for the documents.
‘When notified by The Washington Post this month, the company first disputed that the personal information of users was publicly accessible but has now attempted to fix the problem.’, the newspaper release also reads.
After the acknowledgement made by NeedMyTranscript.com a disclosure was posted on their official web-site. The statement says that the site was notified regarding the glitch and that it was fixed within couple of hours. No sign of malicious actions was found and no payment data or credit card numbers were exposed, the statement continues, as all the payments for the services are being executed by a third-party payment institution (PayPal).
Another step for protecting their customer’s data was for NeedMyTranscript.com to hire a cyber-security expert company to investigate the case further.
→’Although we don’t believe that you are at risk of harm as a result of this vulnerability, we still recommend that all of our customers use good judgment in not responding to emails or other inquiries by those posing as a financial institution or other entities seeking your personal information. If you have any reason to believe your information on our site has been improperly accessed and used by a third party, please contact us via email at privacy@needmytranscript.com as soon as possible.’, NeedMyTranscript.com statement concludes.