An alert by one of our readers led to the suspension of a serious leak from a server of the Ministry of Education. Bivol conducted a check and established that personal data of more than 1.2 million Bulgarian children had been accessible for a long time without identification to anyone who knew the internet address. Technically, it had been very easy to download the names, age, exact addresses and attended schools for all Bulgarian children.

This refers to an inside page of the site http://back2school.mon.bg/ in the “Open and Safe School” platform. It was presented by the Ministry of Education and Science (MES) as a means of combating dropping out of school. The project was implemented after the decision of the Council of Ministers dated July 5, 2017, establishing a mechanism for joint work of the institutions for enrollment and retention in the educational system of children and students in compulsory school age and preschool age.

The main mouthpiece and PR of the new system is the Deputy Minister of Education Denitsa Sacheva. She rose to politics as a leader of the ballot of the right-wing party Democrats for Strong Bulgaria (DSB) in the city of Haskovo. Then, during two terms in office of Prime Minister, Boyko Borisov, she held various posts at the Health, Social, and Educational ministries.

An announcement of MES about the platform says: “The system will include all data needed to detect and enroll children and adolescents in the education system as well as actions taken by representatives of different institutions to specifically help each child be educated as long as possible.”

“Only authorized persons will have access to the platform via the sites of the two institutions,” the Ministry assured.

However, the site’s security is, to put it mildly, deplorable as it is seen from the identification page that was not encrypted with password protection. Passwords could be read by any hacker. All usernames and passwords could be used for full access to the system of people who should not have it.

There is, however, even worse news. On the already closed (after a signal by Bivol) page http://back2school.mon.bg/StudentForm.aspx?Entity=1000000, the full child data and details were displayed: three names, age, current and permanent address if the child attends school and the name and location of the school. Upon changing the Entity number, data about another child was popping up, etc.

A free access to this information without login and password is an extremely harmful and dangerous practice. It is very easy to write a simple program to collect the data about all children in the system. Anyone with a little more knowledge of the internet could obtain the data of all Bulgarian children, upload them to a database and filter children by city, age, name, etc.

We can easily imagine what could happen if this data ends in the hands of pedophiles or abduction organized crime groups. For example, it would be easy to track the children of influential businessmen.

All this requires an immediate DANS intervention to check whether the logs of the servers contain traces of a mass data draining as 1.2 million is a real national security breakthrough. It is also high time to pay attention to the information protection of institutions handling huge personal databases related to the country’s population and introduce mechanisms that exclude dangerous activities, at least on a technical and administrative level.

 

Updated at 1:30 p.m.

After the publication, the MES issued a press release (currently only available on Facebook) stating that there is no breakthrough in the system and no free access to the entered student information. However, it includes two contradictory statements:

“The Open and Safe School System never included data on 1.2 million children,” MES’ press officers write and immediately afterwards:

“There is no external access to the social security numbers (SSNs) and other protected data of all, over 1 million, children because this part of the information has never been opened. It was submitted to the MES by the Civil Registration and Administrative Services Department (GRAO) and was used only to compare the available enrollment database and to establish a difference of 206,378 children and students.”

Whether the system had a million or one million and two hundred entries does not change the overall picture and the fact that there was a security breach.

Obviously, the GRAO database was compared with the one of the MES on children enrolled in school, which contains a measurable amount of records. According to official data, the number of pupils in Bulgaria is about 700,000, but the system should also include data on the number of children in pre-school age, so the total number of records in this system approaches one million.

Also, the lack of access to SSNs is not of great comfort because the data on the page included three names, a full address with even the floor and the apartment number, and possibly the school, attended by the child. This combination provides unique information about each child. The very fact that there was access to it without a password is outrageous.

Bivol’s check, verified by witnesses, showed that, before being closed, the system responded to random forms numbers in a range of more than 1 million records. Besides, it also provided information on consecutive numbers, which is a gross violation of information security.

Eventually, the MES reassures that by the time of the issuing of the press release (a few hours after our tipoff) the breakthrough has been already blocked.

The only external server used temporarily for access by the enrollment teams does not contain SSNs and other personal data; is protected by security certificates, and periodically changes its position on the internet and the codes of the teams that have access to it, the Ministry of Education insists.

This post is also available in: Bulgarian