Bill & Melinda Gates Foundation’s Charity GetSchooled Breaches 900k Children’s Details

3 years ago

The Financial Times was the first to break this story earlier today (29th December 2020).

This breach occurred when GetSchooled (getschooled.com), a charity founded by the Bill & Melinda Gates Foundation in collaboration with Viacom left a database open and accessible to anyone with a browser and internet connection.

According to TurgenSec: The breach impacts 930k individuals, composed of children (10-16y/o), some young adults and some college students.

The breached information contains extensive personal details of children, teenagers and young adults including: full addresses, schools, full student PII including student phone numbers and emails, graduation details, ages, genders and more…

The breach was responsibly disclosed by TurgenSec (turgensec.com) to GetSchooled on the 18th of November 2020 and GetSchooled closed the breach on the 21st of December, over a month later.

GetSchooled

The Get Schooled Foundation is a national non-profit organization helping young people thrive in high school, college, alternative pathways and early career jobs, through a unique blend of compelling digital content, gamification, and personalized support and engagement.. Wikipedia

Responsible Disclosure

According to TurgenSec: TurgenSec reached out to GetSchooled on the 18th of November, calling them and emailing them multiple times over the period of a month. We did not get a reply directly from GetSchooled and eventually escalated to contacting the NCSC, Viacom and the Bill & Melinda Gates Foundation (exact timeline available upon request). We made contact with both Viacom and the Bill & Melinda Gates Foundation who informed us that they had passed information onto GetSchooled. Following this escalation the breach was closed

GetSchooled Response

According to the Financial Times: Get Schooled disputed the size of the breach, saying it believed that about 250,000 accounts were left exposed. It said that under a third of those accounts, around 75,000, were linked to email addresses that remain active. It estimated that about 20,000 phone numbers and 12,000 mailing addresses could have been accessed, but said no birth dates or financial details were included in the database.

Leave a Reply

Your email address will not be published.