Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Data Protection

Personal Information of Over 30,000 Students Exposed in Unprotected Database

The personal information of more than 30,000 students was found on an improperly secured Elasticsearch server, security researchers with SafetyDetectives report.

The server, the researchers say, was left connected to the Internet and did not require a password to allow access to the data within.

The personal information of more than 30,000 students was found on an improperly secured Elasticsearch server, security researchers with SafetyDetectives report.

The server, the researchers say, was left connected to the Internet and did not require a password to allow access to the data within.

Thus, it exposed more than one million records representing the personally identifiable information (PII) of 30,000 to 40,000 students, the researchers estimate.

The exposed information, they say, included full names, email addresses, and phone numbers, along with credit card information, transaction and purchased meals details, and login information stored in plain text.

SafetyDetectives, which notes that the improperly secured server was being updated at the time it was discovered, also found evidence of server logs showing student data being exposed.

The researchers say that the 5GB database appeared to contain the details of students who are Transact Campus account holders. Given that Transact Campus works with higher education institutions in the United States, the majority of impacted students are US individuals.

Transact Campus provides an application that students can use with a unique personal account (called Campus ID) to make payments and purchases, and which can also be used for activities such as event access, class attendance monitoring, and more.

Advertisement. Scroll to continue reading.

What the researchers could not determine was whether malicious actors accessed the unprotected database before it was secured.

However, they note that, if bad actors did download the data, the impacted students could fall victim to various types of attacks, including phishing, spam marketing, and scams. Furthermore, since login credentials were stored unencrypted on the server, account takeover attacks are also possible.

SafetyDetectives says they contacted Transact Campus about the unprotected server in December 2021, but did not receive a reply until January 2022, after they had contacted US-CERT as well. The database had already been secured at that time, but Transact Campus denied being responsible for the breach.

“Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data,” Transact Campus told SafetyDetectives.

The researchers, however, told SecurityWeek that they checked a sample of the data found on the server and that they believe it belongs to real people.

“We use publicly available tools to perform random searches for the people exposed and see if they actually exist. We, of course, performed this process when we discovered this server and found out that the data seemed to belong to real people,” SafetyDetectives said.

Contacted by SecurityWeek, Transact Campus said they launched an investigation into the breach immediately after being informed of the exposure.

According to Chief Information Security Officer Brian Blakley, the exposed database was found to belong to a third-party and that none of Transact’s servers was accessed without authorization.

When asked whether the potentially impacted students had been warned in any way of the data exposure, Blakley directed SecurityWeek to contact Sodexo, which appears to have been responsible for the breach.

“Sodexo in conjunction with its payment’s provider for dining services, Foundry, provided a Notice of Data Breach to impacted clients and users explaining the incident,” he said.

Sodexo provides catering, facility management, and home and personal services across the globe. SecurityWeek contacted the company for additional details on the breach, but has yet to receive a response.

UPDATE 06.20.2022: Foundry has provided the following statement:

This incident did not affect any systems at Transact; it was isolated to a single Foundry gateway server. The potential exposure was discovered by a third party security company that actively scans for vulnerable Elasticsearch clusters. Rather than test data as intended the Elasticsearch server pulled in production logs that contained clear text username and passwords of fewer than 700 students who attempted to register for meal plan account access between October 10, 2021 and January 14, 2022. Only registration attempts logged within that timeframe accounts for the accounts that were affected.

Related: Over 300,000 Internet-Exposed Databases Identified in 2021

Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver

Related: Cybercriminals Hold 1,200 Unsecured Elasticsearch Databases for Ransom

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.