back to article Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers

An email marketing company claiming to hold details on a million UK teachers and school admin personnel was potentially exposing those to the public internet thanks to a misconfigured error page on its website. Not only that, but the Schools Marketing Company (SMC) seemingly dismissed the findings of the infosec company which …

  1. AndyFl

    No need to compromise their systems

    They had already misconfigured the server to expose all the details anyway.

    This is one of the cases where the ICO should hang them out to dry. I'm not holding my breath though as the ICO always appears to be more than a little toothless.

    1. TKW

      Re: No need to compromise their systems

      In my view the problem is much more about the response than it was about the original "misconfiguration". The way they also responded to El Reg shows that it's institutional and probably beyond repair: they need ICOing out of existence.

    2. anothercynic Silver badge

      Re: No need to compromise their systems

      As for the "there's no indication that this information has been misused" (I paraphrase) - Like anyone who is going to go for a marketing database is going to email them to say "hey, we stole your data, neener-neener".

      The company acted in a cavalier fashion, their staff responded in a cavalier fashion, and it blows my mind that they haven't been reported yet.

      1. Alan Brown Silver badge

        Re: No need to compromise their systems

        "The company acted in a cavalier fashion, their staff responded in a cavalier fashion, and it blows my mind that they haven't been reported yet."

        Agreed. If I received a response like that, the first thing I'd do would be to hand it to regulators as it's highly unlikely that such an issue would be the only thing wrong at the company

  2. Anonymous Coward
    Anonymous Coward

    Alarm bells..

    "have taken and are taking steps to ensure security of our systems as we always have done.

    "There is no indication that any systems or information we hold have / has been compromised"

    Dude your systems were compromised.

    If I worked with this company as a client, I'd be very worried.

    1. Anonymous Coward
      Anonymous Coward

      Re: Alarm bells..

      If they were a supplier of ours and exposed our data they would not just be facing an ICO complaint - I'd take them to court for as much as I could get away with and then some, and I made sure it hit every newspaper in the country.

      Mistakes happen, yes, but that response demonstrated such a lack of interest and arrogance that I would not have them as a supplier. That said, the way we screen suppliers I doubt they'd get past the first stage in the first place because that sort of attitude tends to be pervasive.

      Here's hoping the ICO gets acquiresthe ability to fine to levels that existed under GDPR as they are serious enough to demand attention. Otherwise they're a waste of time.

    2. jsdbroughton

      Re: Alarm bells..

      They have 0% way of knowing how many / if any of their data have been scraped and misused.

    3. hoola Silver badge

      Re: Alarm bells..

      Given that the information appears to have been freely available without "compromise", they are correct in one sense, their system was not compromised.

      The simply fact that the data was visible and should not have been is enough, the data has been compromised.

      Sadly the response that was given is all too common in many of these sorts of organisations that simply have not concept of IT, security or responsibility.

      There are far too many people involved in education IT or providing IT services to education that are so stuck up and have this unwavering belief that everything they do is perfect is is unreal. Many have never worked anywhere else and have no concept that actually providing what the user needs might be a good idea. This starts in primary school and goes right through to universities.

  3. Martin an gof Silver badge

    Probably being thick...

    ...but how did they get all those contact details in the first place?

    M.

    1. Anonymous Coward Silver badge
      Boffin

      Re: Probably being thick...

      I don't know about that company in particular, but have seen the tactics used elsewhere. They scour the school websites for email addresses. And job vacancy sites with contact details etc.

      They may also look at simple staff lists and assume the email format as being firstname.lastname@school.domain or f.surname@ etc (often assisted by seeing other addresses for the same establishment) - they extrapolate as much as possible to boost their headline figure.

      There's nothing that you couldn't find yourself, but they sell the convenience of having it all in one place.

  4. Mr Dogshit
    FAIL

    Schools Marketing

    Two words which should never follow each other in that order.

    1. MOH

      Re: Schools Marketing

      Or any order

    2. Terry 6 Silver badge

      Re: Schools Marketing

      But they are. marketing to schools has been increasingly about big business for decades. And very much supported by government policies.

      Where once services for and in schools were local authority or non-profit (e.g. exam boards) they are now almost all commercial. Teaching reading is off-the-shelf phonics, easy to sell and easy to measure ( even if it's not a great way to teach reading) of commercially produced packages authorised by government . Exams are run by publishing companies, who also sell the curriculum materials. Advisory and support teachers have been privatised or abolished by local authorities for schools to buy in services from any company that's persuasive enough. Services that were once provided on an "as needed" basis with no need to provide corporate profits, sales, marketing or management costs by locally employed experts who were committed to their roles

      And yes I was one such..

      1. Anonymous Coward
        Anonymous Coward

        Re: Schools Marketing

        And the upshot is that services which were only viable when costs were spread - particularly thinking of the schools music services, schools library services, but it also applies to things like pupil support - have been destroyed in the name of choice. School management teams "choose" not to pay for peripatetic music teachers to come in and give subsidised lessons to children learning a - probably borrowed - instrument and spend the money on iPads instead, so only children whose parents can afford to pay commercial rates and buy or rent the instrument end up with those skills.

        School management teams "choose" not to purchase speech therapy support from the local authority's small centralised, specialist team and instead interpret the child's "statement of educational needs" as meaning they can contract out to a private supply company who will send an 18 year-old on a gap year with no relevant qualifications to plod through some worksheets and take the child out of class if they get a bit stroppy, because two hours of qualified SLT is worth five mornings of 18 year-old.

        The situation is a little better in those parts of the UK where schools aren't forced to become academies and local authorities retain some oversight, but only a little.

        Anon because I know people on all sides of this debate and I might be exaggerating - though only a little.

        1. Terry 6 Silver badge

          Re: Schools Marketing

          Absolutely.

          <rant> I used to support kids with literacy difficulties, employed by a local authority. And we divided our service as fairly as we could between schools We were, when it was the Inner London Education Authority, funded in a way that spread the costs over rich and poor boroughs and after, worked equally across the rich and poor schools in our boroughs. We'd been provided training by the best trainers that could be found. Real experts that willingly gave their time because we weren't doing this for shareholders' profits. We developed and honed our work by keeping up to date with all the research coming out of universities, not just the commercially developed or ideologically approved ones.

          We sourced books from school library services that would engage and encourage the kids.

          Schools also received advice and support from a range of locally employed specialists across the curriculum, employed by the authorities. When the LEAs tried to retain some funding for this they were berated and called "greedy" (notably by the BBC by the way) as if the money was being used for big lunches and parties, rather than to employ a bloody primary science advisor or curate a collection of teaching materials to share across their schools.

          </rant> Rant ended only because I need to go and calm down.

        2. John Brown (no body) Silver badge
          Headmaster

          Re: Schools Marketing

          "spend the money on iPads instead,"

          There's DJing and Scratching apps on the iPad, as well various music making software isn't there? That'll do. The iPad is a !musical instrument" :-)

      2. hoola Silver badge

        Re: Schools Marketing

        You are correct that local authorities have abolished almost all the support services but that is actually no the fault of the authority. The entire thing is rigged with there huge academy chains that have commercialised education for their own gains (large profits and salaries). This has left the LEA with nothing left to provide except the bare minimum because all the money has been taken away by Government.

        There is this bizarre concept that just because a academy is a trust it is somehow respectable and everything is for the benefit of "The Children". This is complete bollocks as all the trust status does if give them tax advantages. The upper echelons of these trusts are paid huge amounts of money as are many heads and the now essential "Executive Head". Then entire management and support chain now costs vastly more than it ever did through the LEA as it is both grossly inefficient (more people) and far higher salaries.

        This makes for interesting reading....

        https://www.nga.org.uk/getmedia/9688a374-2272-48e8-afe1-d82f2532432d/ASCL-Guidance-Paper_Setting-Pay-for-Ex-Heads-Princials-and-CEOs_Nov-2017.pdf

  5. Gareth.

    If I were a teacher in the UK...

    ...I'd be submitting a DSAR to understand what details they may hold about me.

  6. chivo243 Silver badge
    Stop

    Fingers in ears

    La la la la la. We didn't hear that, so it can't be true! ??

  7. TechHeadToo

    Teachers eh?

    It's the education sector. Probably run by ex-teachers, and the subjects are teachers.

    So it's about what i expect. After all, teachers know EVERYTHING and cannot allow themselves to be shown to be, to be, well, a lot stupid about so much of life.

    1. chivo243 Silver badge
      Trollface

      Re: Teachers eh?

      Yes my friend, Teachers are the worst students, and Doctors are the worst patients...

  8. IanRS

    "We do not hold any confidential information on any of our servers."

    Well that much was true certainly.

    1. Antron Argaiv Silver badge
      FAIL

      I'll bet they had a good laugh after someone came up with that sentence.

      One step up from spammers.

    2. John Brown (no body) Silver badge

      "we do not hold any confidential information on any of our servers"

      So why do they need to be GDPR and PCER complient and be registered with the ICO?

      Or is this like advertising a chicken salad as being "dolphin friendly" on the label?

  9. Doctor Syntax Silver badge

    "taking steps to ensure security of our systems as we always have done"

    Did he even stop to think what he was saying?

    1. Pascal Monett Silver badge

      Well, given that he didn't stop to think about what he was doing, I'd venture a "no" to that question.

      In any case, he certainly gets an A+ for Arrogance.

    2. doublelayer Silver badge

      No, using the simile in its unrestricted ability, it's perfectly accurate. Just as a murderer protects life as they always have done or Facebook acts ethically as they always have done. Nobody said the sentence applied if you cut before the "as".

  10. Anonymous Coward
    Anonymous Coward

    FFS

    "We have no prior relationship with Pen Test Partners"

    Neither do criminals who will want to get into your systems!

    1. Andrew 6
      Headmaster

      Re: FFS

      Actual knowledge of that or are you just assuming that's the case?

  11. batfink

    "There is no indication that any systems or information we hold have / has been compromised"

    Pardon? Splurged over t'internet isn't "compromised"?

    1. Cybersaber

      Re: "There is no indication that any systems or information we hold have / has been compromised"

      Nope, get with the times re: the latest PR spin. It wasn't 'compromised', it was 'leaked'.

      Not being a pedant about correcting you, (because you're correct) I'm just pointing out the weasel wording by the company.

  12. ecofeco Silver badge

    Why is this even a thing in the first place?

    School marketing? An entire company that does... school marketing?

    But... why? Why do schools need marketing companies? Hint, they don't. This is a simple thing that should be done in-house.

    1. MachDiamond Silver badge

      Re: Why is this even a thing in the first place?

      "Why do schools need marketing companies?"

      The schools don't need a marketing company. The marketing company is specializing in schools and school employees to sell lists to companies that provide products and service to schools and staff.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why is this even a thing in the first place?

      It sounds like marketing to schools in this case.

      But there is school marketing too.

      Competition. It's the Policy. Set schools against one another. And schools know full well that there is a spiral involved. I have two local schools federated. One is seen as the good school and gets the middle class families as their first choice. One gets all the needy families, the ones that couldn't/didn't try to get a place in the middle class school. They're with a 5 minute walk of each other, have the same management team etc etc.

      Reputation is everything. Local estate agents only refer to one of these schools.

      And when rolls start to fall, which schools' staff's jobs are in jeopardy? And which staff group have the tougher jobs with the highest skills?

      1. andy gibson

        Re: Why is this even a thing in the first place?

        The blurb on their website says:

        "Want to talk to bursars, facilities managers or Heads of IT? No problem. We’ve got their direct, personal school email addresses - ready to send your marketing emails directly to them."

        Not a problem for me. If an unsolicited email comes in, it goes in the bin, the sender gets blocked and that company doesn't get my business.

        1. Terry 6 Silver badge

          Re: Why is this even a thing in the first place?

          Which is probably true for most schools. That still makes effort for someone who could be using their time better. And useful/important emails can get lost in the wash.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why is this even a thing in the first place?

      Why do schools need marketing companies?

      For the same reason that the NHS needs them. The same reason that the UK needs a couple of decades more of BJ and chums. The same reason that we needed Dildo Harding in charge of T&T. The same reason we needed to leave the EU.

  13. Trollslayer
    Flame

    Is Dido Harding

    involved?

    1. Pascal Monett Silver badge

      I'm sure she'll soon be accepted on the Board in an honorary position.

      For £150K/year.

  14. Ex IBMer

    Compromise is such a ..... dirty.... word

    Are we ***sure*** that there has been a compromise.....

    I mean, all it takes on one little design specification saying that upon error the system is to blurt out all of the access credentials ever used for it, and its not compromised at all. It is operating by design :-)

    Alternately, if the design specs didn't **explicitly** say that outputting passwords was disallowed, then again, the system is operating as designed.

    It's not as if somebody actually hacked them :-P

    Sigh

  15. Ian Johnston Silver badge

    I don't see how their response to the hacking company was arrogant. The problem had been pointed out and they had dealt with it. Were the hackers coughing meaningfully and holding a hand out, perhaps? Apart from soliciting money, what further role could they have?

    1. the hatter

      That the problem wasn't fixed with the first several emails, and they eventually sort it then whine you'd contacted them several times prior is arrogant, it's not admitting they should have fixed something sooner, not acknowledging that you helped them in pointing this out. If I tell you that you left your car unlocked, you don't need a 'prior relationship' with me to thank me for pointing out your carelessness. if it had your laptop bag sat on the passenger seat, I've just done you a favour. if it had thousands of other people's property sat on the passenger seat, I've done them a favour, and you're doing them a disservice to not acknowledge you've been negligent to leave other people's things unsecured.

    2. JohnG

      The correct response would have been something like "Thanks for letting us know", not a polite variant of GFY.

      1. Ian Johnston Silver badge

        Perhaps, but it appears that the "GFY" was in response to a second contact, after the company had been made aware of the problem. They refused any further engagement and the hackers publicised the leak. I really can't help wondering if they would have done so with their mouths stuffed with cash.

        There is no doubt that the company in question was sloppy and perhaps criminally sloppy, but the hacking gang sounds pretty iffy too.

        1. doublelayer Silver badge

          Come on. The second and third emails mentioned almost certainly looked like this:

          First: "You have a problem with your database credentials being shown here ..."

          Second: "Sorry if you didn't get our last email, but you have a problem with your database credentials being shown here ..."

          Third: "You've got some seriously confidential data in your database, and it's a crime to leak it or not report a breech, and your credentials are right here. You need to fix it."

          Then the response. The article notes that the credentials were fixed after the press got involved, not beforehand. You have decided based on no evidence at all that the researchers wanted money, but as the problem they found wasn't fixed, they could easily have just wanted it fixed. Like many other researchers, if someone won't fix their problem which is actively affecting others, they go public. For a similar reason, if you were periodically firing a projectile from your house onto the street, I'd try to make you stop and if you didn't immediately do it, I'd report you to protect pedestrians. No money involved.

        2. cybergibbons

          There was no way to tell if the email had been received and acted on. Given the issue hadn't been fixed, it was chased.

          I've personally disclosed over 50 issues so far, never accepted payment to not disclose them.

          There is no hacking gang.

    3. Gareth79

      The content of the email was published - it had full details of the issue and exactly how it needs to be fixed, with no demands for payment or use of their services. There was also no "hacking" involved. Basically the company got a free warning of a serious vulnerability.

  16. PeteS46

    Blithring idiots!

  17. EricB123 Bronze badge

    Worldwide Problem

    I have lived in several countries, and the same non-attention to software security is everywhere I go. Although I have never been to thr UK, one of the countries I have lived in is the USA. I wish I had an answer to this serious problem,

  18. PeteS46

    My kids are too old to be targets. Grandkids though are in range.

    IF my details are exposed I'll be reaching for my lawers.

    So should parents!

    PeteS

  19. arachnoid2

    No eveidence….

    Well….. if you can’t see your servers open to abuse how then can you tell if it’s been compromised?

  20. greenwood-IT

    Good luck with that argument..

    "we do not hold any confidential information on any of our servers"

    I understood name, email, job description, company and password were classed as personal and confidential. I'm pretty sure I can't just publish my list of contacts from my database on a web page - which is what they have basically done! ICO, do your job.

  21. flayman Bronze badge

    "There is no indication that any systems or information we hold have / has been compromised"

    There never would be any indication of this, judging by the kindergarten work practices. Probably zero monitoring and logging. Security an afterthought if it was ever a thought.

  22. Ian Johnston Silver badge

    Am I right in thinking that the business model for freelance penetration testing is "attempt to steal data from companies and when you manage to do so threaten to publicise the weakness unless you get some money"? Because I am pretty sure there is a word for that.

    1. flayman Bronze badge

      No, you are not right in thinking that. They provide a free public service and make responsible disclosures of their findings.

      1. Ian Johnston Silver badge

        So why were this lot pestering their target after making the discovery? What did they hope to get out of it?

        1. doublelayer Silver badge

          They wanted it fixed. Because not having it fixed meant potential problems for the people whose data was in there.

          Don't get me wrong, if the company decided to reward them for their warning, I'm certain they would have taken that gladly. They still wanted the issue fixed though.

          1. cybergibbons

            I don't accept rewards unless the bug is submitted via an already established bug bounty.

        2. cybergibbons

          I sent one email chasing the original report to make sure it had been received.

          They don't have a means to report security issues, so there is a significant chance that the email doesn't reach the person responsible for the security of these systems, and the issue remains unfixed, leaving them at risk.

          This is not "pestering".

    2. cybergibbons

      I'm not a freelance penetration tester, but not sure I have seen any operate under that model either. It's not exactly going to be lucrative working like that.

      As you can see, the way we report issues, we ensure that we aren't offering any services:

      https://twitter.com/cybergibbons/status/1446022192928595973

    3. the hatter

      The weakness will be disclosed regardless of any services purchased or not. Either the compromised company will disclose the personal data has been compromised, as legally required to, or they will be reported for failing to disclose it. The technical weakness will be reported because it's in the public interest to ensure others can learn from this mistake and avoid leaking people's personal data due to poor practices or common mistakes.

      This company says 'we're sure no data has been lost or misused' but it's hard to believe a company that makes this mistake in the first place has such complete network and system logging to accurately determine this claim, in act quite the opposite. Exactly which outfit they choose to hire to help with their information security is up to them, they're not obliged to do that but they're going to have an even harder time brushing it off next time, to their directors/shareholders, to tee ICO, to their customers, and to the people whose data is leaked, if it happens a second time, having already been warned their processes are insufficient.

  23. Stephen Gray

    It's a quality product.

    Given the fact that they can't even configure the site to display correctly in Chrome should tell you everything you need to know.

  24. Real Ale is Best

    Looks like an old version of Laravel...

    ... with Debug switched on in the .env file.

    Oh dear.

    Probably a developer checked in their local copy of the file overwriting the production copy.

    Use The Forge Luke!!

  25. FlamingDeath Silver badge

    ICO

    If anyone wants to know how to contact the ICO, just head to the golf course

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like