Confidential data on thousands of students exposed by test preparatory firm

We’ve seen governments being careless with the identities of millions of children, student data lost via P2P file-sharing software, social networking websites revealing the dates of birth of all of its members, and even kids’ TV shows losing the names, addresses and birthdates of wannabe chefs.

Now there is news of another firm endangering children, and potentially assisting identity thieves through their carelessness.

A report in The New York Times today reveals that confidential information on thousands of American students was left exposed for anyone to steal after a security blunder by test preparatory firm The Princeton Review.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the article by NYT reporter Brad Stone, files on a publicly accessible website exposed the dates of birth and names of 74,000 students in Fairfax County, Virginia for seven weeks. In addition, another file revealed the dates of birth, test scores and ethnicity of 34,000 students in the Sarasota, Florida, area after the county hired The Princeton Review to measure academic progress.

Some of the information is said to have been accessible through search engines like Google. You have to wonder – if companies are making it this easy to discover information about individuals, why do identity thieves go to all that effort of writing spyware?

Stephen Richards, the COO and CFO of The Princeton Review, says it has closed off access to the information, which is believed to have believed to have been exposed when the company changed internet providers in late June.

We should all be grateful that The Princeton Review has taken action over this data breach, but it should never have happened in the first place. The information should have been held securely, and identifying data such as names and full dates of birth should have been wiped from the files.

As an aside, one thing I find interesting about this case is how the data breach was discovered. It wasn’t found as part of an internal security audit, or by a customer or probing journalist. Instead, the blunder was uncovered by a (not named) competing firm who were conducting competitive intelligence on The Princeton Review.

The Princeton Review’s competitor chose to go to the New York Times to expose the security problem. They could have chosen to sent a friendly note to Stephen Richards about the problem, and the data leakage would never have made the headlines.

If you need an encouragement to make sure that your house is in order and your data secure, and the threat of identity thieves isn’t enough for you, then maybe the thought that a business rival might take your blunder to the press will do it.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.