This breach occurred when GetSchooled, a charity founded by the Bill & Melinda Gates Foundation, along with Viacom, left the database open and available to everyone with a browser and internet connection.
Get Schooled Foundation is a U.S. national non-profit organization that helps young people succeed in high school, college, alternative career paths and early career employment through a unique combination of engaging multimedia content, gaming, and personalized encouragement and interaction.
According to TurgenSec: the violation affects 930k people, consisting of children (10-16y/o), some young adults and some college students.
The information in question includes detailed personal data of children, adolescents and young adults, including complete addresses, classes, full student PII including student phone numbers and emails, graduation details, ages, genders and more…
TurgenSec reported the infringement responsibly to GetSchooled on 18 November 2020, calling and emailing them several times over the course of a month. They did not receive a reply directly from GetSchooled and eventually made contact with the NCSC, Viacom and the Bill & Melinda Gates Foundation (exact timeline available upon request).
They also made contact with Viacom and the Bill & Melinda Gates Foundation, who told us that they had forwarded the information to GetSchooled. Following this escalation, the breach was closed on 21 December, more than a month later.
According to the Financial Times, Get Schooled disputed the extent of the violation, arguing that some 250,000 accounts had been left exposed. It said that about 75.000 of those accounts were connected to email addresses that are still active.
It was estimated that about 20,000 phone numbers and 12,000 mailing addresses may have been obtained, but that no dates of birth or financial information were included in the database.