After a signal by Bivol, the access to the server was suspended. The National Security Agency (DANS) must establish whether there was a national security breakthrough.

Education Ministry’s New Platform “Open and Safe School” Displayed Personal Data of 1.2 Million Bulgarian Children

Екип на Биволъ

An alert by one of our readers led to the suspension of a serious leak from a server of the Ministry of Education. Bivol conducted a check and established that personal data of more than 1.2 million Bulgarian children had been accessible for a long time without identification to anyone who knew the internet address. Technically, it had been very easy to download the names, age, exact addresses and attended schools for all Bulgarian children.

This refers to an inside page of the site http://back2school.mon.bg/ in the “Open and Safe School” platform. It was presented by the Ministry of Education and Science (MES) as a means of combating dropping out of school. The project was implemented after the decision of the Council of Ministers dated July 5, 2017, establishing a mechanism for joint work of the institutions for enrollment and retention in the educational system of children and students in compulsory school age and preschool age.

The main mouthpiece and PR of the new system is the Deputy Minister of Education Denitsa Sacheva. She rose to politics as a leader of the ballot of the right-wing party Democrats for Strong Bulgaria (DSB) in the city of Haskovo. Then, during two terms in office of Prime Minister, Boyko Borisov, she held various posts at the Health, Social, and Educational ministries.

An announcement of MES about the platform says: “The system will include all data needed to detect and enroll children and adolescents in the education system as well as actions taken by representatives of different institutions to specifically help each child be educated as long as possible.”

“Only authorized persons will have access to the platform via the sites of the two institutions,” the Ministry assured.

However, the site’s security is, to put it mildly, deplorable as it is seen from the identification page that was not encrypted with password protection. Passwords could be read by any hacker. All usernames and passwords could be used for full access to the system of people who should not have it.

There is, however, even worse news. On the already closed (after a signal by Bivol) page http://back2school.mon.bg/StudentForm.aspx?Entity=1000000, the full child data and details were displayed: three names, age, current and permanent address if the child attends school and the name and location of the school. Upon changing the Entity number, data about another child was popping up, etc.

A free access to this information without login and password is an extremely harmful and dangerous practice. It is very easy to write a simple program to collect the data about all children in the system. Anyone with a little more knowledge of the internet could obtain the data of all Bulgarian children, upload them to a database and filter children by city, age, name, etc.

We can easily imagine what could happen if this data ends in the hands of pedophiles or abduction organized crime groups. For example, it would be easy to track the children of influential businessmen.

All this requires an immediate DANS intervention to check whether the logs of the servers contain traces of a mass data draining as 1.2 million is a real national security breakthrough. It is also high time to pay attention to the information protection of institutions handling huge personal databases related to the country’s population and introduce mechanisms that exclude dangerous activities, at least on a technical and administrative level.

 

Updated at 1:30 p.m.

After the publication, the MES issued a press release (currently only available on Facebook) stating that there is no breakthrough in the system and no free access to the entered student information. However, it includes two contradictory statements:

“The Open and Safe School System never included data on 1.2 million children,” MES’ press officers write and immediately afterwards:

“There is no external access to the social security numbers (SSNs) and other protected data of all, over 1 million, children because this part of the information has never been opened. It was submitted to the MES by the Civil Registration and Administrative Services Department (GRAO) and was used only to compare the available enrollment database and to establish a difference of 206,378 children and students.”

Whether the system had a million or one million and two hundred entries does not change the overall picture and the fact that there was a security breach.

Obviously, the GRAO database was compared with the one of the MES on children enrolled in school, which contains a measurable amount of records. According to official data, the number of pupils in Bulgaria is about 700,000, but the system should also include data on the number of children in pre-school age, so the total number of records in this system approaches one million.

Also, the lack of access to SSNs is not of great comfort because the data on the page included three names, a full address with even the floor and the apartment number, and possibly the school, attended by the child. This combination provides unique information about each child. The very fact that there was access to it without a password is outrageous.

Bivol’s check, verified by witnesses, showed that, before being closed, the system responded to random forms numbers in a range of more than 1 million records. Besides, it also provided information on consecutive numbers, which is a gross violation of information security.

Eventually, the MES reassures that by the time of the issuing of the press release (a few hours after our tipoff) the breakthrough has been already blocked.

The only external server used temporarily for access by the enrollment teams does not contain SSNs and other personal data; is protected by security certificates, and periodically changes its position on the internet and the codes of the teams that have access to it, the Ministry of Education insists.

***

If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Monthly

You have chosen to donate 10.00€ monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 10.00€ Monthly

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5.00€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

IBAN: BG27 ESPY 4004 0065 0626 02
BIC: ESPYBGS1
Титуляр/Account Holder: Bivol EOOD

лв.
 
The current exchange rate is 1.00 EUR equals 0 BGN.
Select Payment Method
Personal Info

Внимание: с този метод сумата ще е в лева, а не в евро. Можете да изпратите "Данъкъ Биволъ" електронно през Epay.bg или с банков превод. От територията на България можете също да изпратите пари в брой през EasyPay, или да направите превод през банкомат, поддържащ услугата B-Pay.    

Donation Total: 5,00 лв.

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

SMS код BIVOL

За да подкрепите с малка сума нашите разследвания и автори, можете да изпратите SMS на кратък номер. Ще получите с обратен SMS линк към нашия архив.

  • Изпрати 1,2 лв. на номер 1851 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 2,4 лв. на номер 1092 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 4,8 лв. на номер 1094 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 12 лв. с два смс-а на номер 1096 с код BIVOL и получи достъп до Архивите на Биволъ

Сумите са с включен ДДС. Моля, имайте предвид, че това е най-неефективният начин да подпомогнете Биволъ, тъй като комисионната на мобилните оператори достига 60%. Ако имате възможност, използвайте някой от другите методи на плащане.

Криптовалути

За да ни изпратите биткойни сканирайте QR кода или използвайте един от двата адреса: Standard: 1EY3iwkPXiby6XFsyCcVPGZPYCGPbPeVcb
Segwit: bc1ql28g7qnvdmenrzhhc7rtk0zk67gg4wd9x9jmmc

 

 

This post is also available in: Bulgarian

%d bloggers like this: