Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers An email marketing company claiming to hold details on a million UK teachers and school admin personnel was potentially exposing those to the public internet thanks to a misconfigured error page on its website. Not only that, but the Schools Marketing Company (SMC) seemingly dismissed the findings of the infosec company which …
As for the "there's no indication that this information has been misused" (I paraphrase) - Like anyone who is going to go for a marketing database is going to email them to say "hey, we stole your data, neener-neener".
The company acted in a cavalier fashion, their staff responded in a cavalier fashion, and it blows my mind that they haven't been reported yet.
"The company acted in a cavalier fashion, their staff responded in a cavalier fashion, and it blows my mind that they haven't been reported yet."
Agreed. If I received a response like that, the first thing I'd do would be to hand it to regulators as it's highly unlikely that such an issue would be the only thing wrong at the company
"have taken and are taking steps to ensure security of our systems as we always have done.
"There is no indication that any systems or information we hold have / has been compromised"
Dude your systems were compromised.
If I worked with this company as a client, I'd be very worried.
If they were a supplier of ours and exposed our data they would not just be facing an ICO complaint - I'd take them to court for as much as I could get away with and then some, and I made sure it hit every newspaper in the country.
Mistakes happen, yes, but that response demonstrated such a lack of interest and arrogance that I would not have them as a supplier. That said, the way we screen suppliers I doubt they'd get past the first stage in the first place because that sort of attitude tends to be pervasive.
Here's hoping the ICO gets acquiresthe ability to fine to levels that existed under GDPR as they are serious enough to demand attention. Otherwise they're a waste of time.
Given that the information appears to have been freely available without "compromise", they are correct in one sense, their system was not compromised.
The simply fact that the data was visible and should not have been is enough, the data has been compromised.
Sadly the response that was given is all too common in many of these sorts of organisations that simply have not concept of IT, security or responsibility.
There are far too many people involved in education IT or providing IT services to education that are so stuck up and have this unwavering belief that everything they do is perfect is is unreal. Many have never worked anywhere else and have no concept that actually providing what the user needs might be a good idea. This starts in primary school and goes right through to universities.
I don't know about that company in particular, but have seen the tactics used elsewhere. They scour the school websites for email addresses. And job vacancy sites with contact details etc.
They may also look at simple staff lists and assume the email format as being firstname.lastname@school.domain or f.surname@ etc (often assisted by seeing other addresses for the same establishment) - they extrapolate as much as possible to boost their headline figure.
There's nothing that you couldn't find yourself, but they sell the convenience of having it all in one place.
But they are. marketing to schools has been increasingly about big business for decades. And very much supported by government policies.
Where once services for and in schools were local authority or non-profit (e.g. exam boards) they are now almost all commercial. Teaching reading is off-the-shelf phonics, easy to sell and easy to measure ( even if it's not a great way to teach reading) of commercially produced packages authorised by government . Exams are run by publishing companies, who also sell the curriculum materials. Advisory and support teachers have been privatised or abolished by local authorities for schools to buy in services from any company that's persuasive enough. Services that were once provided on an "as needed" basis with no need to provide corporate profits, sales, marketing or management costs by locally employed experts who were committed to their roles
And yes I was one such..
And the upshot is that services which were only viable when costs were spread - particularly thinking of the schools music services, schools library services, but it also applies to things like pupil support - have been destroyed in the name of choice. School management teams "choose" not to pay for peripatetic music teachers to come in and give subsidised lessons to children learning a - probably borrowed - instrument and spend the money on iPads instead, so only children whose parents can afford to pay commercial rates and buy or rent the instrument end up with those skills.
School management teams "choose" not to purchase speech therapy support from the local authority's small centralised, specialist team and instead interpret the child's "statement of educational needs" as meaning they can contract out to a private supply company who will send an 18 year-old on a gap year with no relevant qualifications to plod through some worksheets and take the child out of class if they get a bit stroppy, because two hours of qualified SLT is worth five mornings of 18 year-old.
The situation is a little better in those parts of the UK where schools aren't forced to become academies and local authorities retain some oversight, but only a little.
Anon because I know people on all sides of this debate and I might be exaggerating - though only a little.
Absolutely.
<rant> I used to support kids with literacy difficulties, employed by a local authority. And we divided our service as fairly as we could between schools We were, when it was the Inner London Education Authority, funded in a way that spread the costs over rich and poor boroughs and after, worked equally across the rich and poor schools in our boroughs. We'd been provided training by the best trainers that could be found. Real experts that willingly gave their time because we weren't doing this for shareholders' profits. We developed and honed our work by keeping up to date with all the research coming out of universities, not just the commercially developed or ideologically approved ones.
We sourced books from school library services that would engage and encourage the kids.
Schools also received advice and support from a range of locally employed specialists across the curriculum, employed by the authorities. When the LEAs tried to retain some funding for this they were berated and called "greedy" (notably by the BBC by the way) as if the money was being used for big lunches and parties, rather than to employ a bloody primary science advisor or curate a collection of teaching materials to share across their schools.
</rant> Rant ended only because I need to go and calm down.
You are correct that local authorities have abolished almost all the support services but that is actually no the fault of the authority. The entire thing is rigged with there huge academy chains that have commercialised education for their own gains (large profits and salaries). This has left the LEA with nothing left to provide except the bare minimum because all the money has been taken away by Government.
There is this bizarre concept that just because a academy is a trust it is somehow respectable and everything is for the benefit of "The Children". This is complete bollocks as all the trust status does if give them tax advantages. The upper echelons of these trusts are paid huge amounts of money as are many heads and the now essential "Executive Head". Then entire management and support chain now costs vastly more than it ever did through the LEA as it is both grossly inefficient (more people) and far higher salaries.
This makes for interesting reading....
https://www.nga.org.uk/getmedia/9688a374-2272-48e8-afe1-d82f2532432d/ASCL-Guidance-Paper_Setting-Pay-for-Ex-Heads-Princials-and-CEOs_Nov-2017.pdf
Nope, get with the times re: the latest PR spin. It wasn't 'compromised', it was 'leaked'.
Not being a pedant about correcting you, (because you're correct) I'm just pointing out the weasel wording by the company.
It sounds like marketing to schools in this case.
But there is school marketing too.
Competition. It's the Policy. Set schools against one another. And schools know full well that there is a spiral involved. I have two local schools federated. One is seen as the good school and gets the middle class families as their first choice. One gets all the needy families, the ones that couldn't/didn't try to get a place in the middle class school. They're with a 5 minute walk of each other, have the same management team etc etc.
Reputation is everything. Local estate agents only refer to one of these schools.
And when rolls start to fall, which schools' staff's jobs are in jeopardy? And which staff group have the tougher jobs with the highest skills?
The blurb on their website says:
"Want to talk to bursars, facilities managers or Heads of IT? No problem. We’ve got their direct, personal school email addresses - ready to send your marketing emails directly to them."
Not a problem for me. If an unsolicited email comes in, it goes in the bin, the sender gets blocked and that company doesn't get my business.
Why do schools need marketing companies?
For the same reason that the NHS needs them. The same reason that the UK needs a couple of decades more of BJ and chums. The same reason that we needed Dildo Harding in charge of T&T. The same reason we needed to leave the EU.
Are we ***sure*** that there has been a compromise.....
I mean, all it takes on one little design specification saying that upon error the system is to blurt out all of the access credentials ever used for it, and its not compromised at all. It is operating by design :-)
Alternately, if the design specs didn't **explicitly** say that outputting passwords was disallowed, then again, the system is operating as designed.
It's not as if somebody actually hacked them :-P
Sigh
That the problem wasn't fixed with the first several emails, and they eventually sort it then whine you'd contacted them several times prior is arrogant, it's not admitting they should have fixed something sooner, not acknowledging that you helped them in pointing this out. If I tell you that you left your car unlocked, you don't need a 'prior relationship' with me to thank me for pointing out your carelessness. if it had your laptop bag sat on the passenger seat, I've just done you a favour. if it had thousands of other people's property sat on the passenger seat, I've done them a favour, and you're doing them a disservice to not acknowledge you've been negligent to leave other people's things unsecured.
Perhaps, but it appears that the "GFY" was in response to a second contact, after the company had been made aware of the problem. They refused any further engagement and the hackers publicised the leak. I really can't help wondering if they would have done so with their mouths stuffed with cash.
There is no doubt that the company in question was sloppy and perhaps criminally sloppy, but the hacking gang sounds pretty iffy too.
Come on. The second and third emails mentioned almost certainly looked like this:
First: "You have a problem with your database credentials being shown here ..."
Second: "Sorry if you didn't get our last email, but you have a problem with your database credentials being shown here ..."
Third: "You've got some seriously confidential data in your database, and it's a crime to leak it or not report a breech, and your credentials are right here. You need to fix it."
Then the response. The article notes that the credentials were fixed after the press got involved, not beforehand. You have decided based on no evidence at all that the researchers wanted money, but as the problem they found wasn't fixed, they could easily have just wanted it fixed. Like many other researchers, if someone won't fix their problem which is actively affecting others, they go public. For a similar reason, if you were periodically firing a projectile from your house onto the street, I'd try to make you stop and if you didn't immediately do it, I'd report you to protect pedestrians. No money involved.
"we do not hold any confidential information on any of our servers"
I understood name, email, job description, company and password were classed as personal and confidential. I'm pretty sure I can't just publish my list of contacts from my database on a web page - which is what they have basically done! ICO, do your job.
I sent one email chasing the original report to make sure it had been received.
They don't have a means to report security issues, so there is a significant chance that the email doesn't reach the person responsible for the security of these systems, and the issue remains unfixed, leaving them at risk.
This is not "pestering".
I'm not a freelance penetration tester, but not sure I have seen any operate under that model either. It's not exactly going to be lucrative working like that.
As you can see, the way we report issues, we ensure that we aren't offering any services:
https://twitter.com/cybergibbons/status/1446022192928595973
The weakness will be disclosed regardless of any services purchased or not. Either the compromised company will disclose the personal data has been compromised, as legally required to, or they will be reported for failing to disclose it. The technical weakness will be reported because it's in the public interest to ensure others can learn from this mistake and avoid leaking people's personal data due to poor practices or common mistakes.
This company says 'we're sure no data has been lost or misused' but it's hard to believe a company that makes this mistake in the first place has such complete network and system logging to accurately determine this claim, in act quite the opposite. Exactly which outfit they choose to hire to help with their information security is up to them, they're not obliged to do that but they're going to have an even harder time brushing it off next time, to their directors/shareholders, to tee ICO, to their customers, and to the people whose data is leaked, if it happens a second time, having already been warned their processes are insufficient.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
