A glitch in the design code of the NeedMyTranscript.com web-site discovered recently appears to disclose the personal information of almost 100,000 of its visitors to anyone who enters a specific internal directory of the site. The directory was not supposed to be visible and it was discovered by the web-site administrators after a Washington Post press release.
‘NeedMyTranscript.com’ is a company that specializes in gathering all sorts of students’ educational records and releases them to third-party authorities upon request – High Schools, agencies, educational institutions, employers, etc. It has records from 50 of the States and includes over 18,000 different universities. The aim of the site is to automate the application process for such institutions, agencies, employers, etc.
The site’s job was not actually storing all the information for the students, but taking it from them and passing it to whoever may be concerned of that information. All the site’s customers had to do is fill in the entire information online, grant its publication and pay transportation costs for the documents.
‘When notified by The Washington Post this month, the company first disputed that the personal information of users was publicly accessible but has now attempted to fix the problem.’, the newspaper release also reads.
After the acknowledgement made by NeedMyTranscript.com a disclosure was posted on their official web-site. The statement says that the site was notified regarding the glitch and that it was fixed within couple of hours. No sign of malicious actions was found and no payment data or credit card numbers were exposed, the statement continues, as all the payments for the services are being executed by a third-party payment institution (PayPal).
Another step for protecting their customer’s data was for NeedMyTranscript.com to hire a cyber-security expert company to investigate the case further.
→’Although we don’t believe that you are at risk of harm as a result of this vulnerability, we still recommend that all of our customers use good judgment in not responding to emails or other inquiries by those posing as a financial institution or other entities seeking your personal information. If you have any reason to believe your information on our site has been improperly accessed and used by a third party, please contact us via email at firstname.lastname@example.org as soon as possible.’, NeedMyTranscript.com statement concludes.