Is this email not displaying correctly? View it in your browser Date: May 23, 2019
mcps logo

TotalRegistration.net Data Security Incident

Dear Parents and Guardians of AP Test Takers:

Montgomery County Public Schools (MCPS) is notifying you of a security incident that occured with TotalRegistration.net, which is used by 22 high schools in our district to register for AP and PSAT testing. Certain data elements for students and their parents who registered through the platform were exposed due to unsecured reports on TotalRegistration’s website. MCPS has a commitment to data privacy for student data, family data, and employee data. We are taking this event very seriously and aim to distribute all available information to parents, students, and schools. We have been engaging TotalRegistration over the last week to learn more about the incident and seeking remedies for the incident. Below is a summary of this information, TotalRegistration’s responses, and MCPS’s actions to address this issue.

Incident

TotalRegistration.net is an online tool used by students and parents to simplify the registration process for AP testing in Montgomery County Public Schools (MCPS). Twenty-two high schools currently have accounts with the vendor. Note that MCPS does not use TotalRegistration for IB testing - only AP and PSAT testing.

TotalRegistration.net notified MCPS on May 10, 2019 that a “security incident” occurred around April 11, 2019. Sensitive student data may have been exposed due to a misconfiguration on TotalRegistration’s data storage platform. Any reports that a school ran and saved from the TotalRegistration administrative console as a .pdf, .csv, or .doc during this time period were stored in an insecure data bucket. A journalist discovered this vulnerability and notified TotalRegistration.

Data Involved

The following chart was created to easily decipher between the data elements TotalRegistration states may have been available and the elements they do not believe were exposed.

Exposed Data Elements1

Not Exposed

Name

Date of Birth

Social Security #

Driver’s License #

Language

Grade Level

Passport #

Military ID #

Gender

Student ID #

Credit Card #

Bank Account Info

Last Four Digits of SSN

Physical Address

Health Insurance Info

Medical Info

Email Address

Phone Numbers

Biometric Info

Digitized Signatures

Ethnicity

College Board ID #

Test Scores

Passwords

1 Not all users of TotalRegistration.net were required to enter all of these data elements

TotalRegistration’s Original Notification

On Friday, May 10, 2019, TotalRegistration sent out their original notification email to MCPS employees:

Greetings TR Users,

Total Registration, LLC (TR) is a provider of online exam registration and organization services for schools.  The privacy and protection of the personal information of our customers is a matter we take very seriously, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may involve your students’ personal information.

WHAT HAPPENED?

On the evening of April 11, 2019, we received an email from an individual stating she is a journalist, in which she informed us that TR may have a misconfigured setting in our Amazon Web Services S3 file storage service.  TR uses the S3 service to temporarily store documents that authorized school personnel and students can generate from particular reports.

Upon receipt of this information, we immediately began to investigate the matter.  As part of that investigation, we discovered that one of our developers misconfigured a setting within TR’s Amazon S3 file storage service.  As a result of that configuration, certain files (pdf, .csv, .doc) that individual schools can create from reports, which list information about students registered for exams, and copies of registration confirmations generated by individual registrants, may have been available to individuals who accessed the URL for the TR S3 file storage.  Each such document from a report or confirmation was only accessible for 48 hours after the file or confirmation was generated. After 48 hours, each file or confirmation would automatically delete. It is important to note that based upon our investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible.  If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3.

On April 12, 2019, TR reconfigured the setting in our file storage service to correct the problem and deleted any remaining files in the file storage service that had been retained due to the misconfigured setting.

WHAT INFORMATION WAS INVOLVED?

The data that may have been exposed was limited to certain information used to register for Advanced Placement, PSAT/NMSQT, and International Baccalaureate exams, based on how individual schools conducted registrations and ran their reports.  Those reports may have included student registration information that students provided when registering for a test, such as name, IB candidate category, grade level, gender, date of birth, address, email address, and parent/guardian names. The data that may have been exposed did not include social security numbers, credit card numbers, or other financial information.

WHAT WE ARE DOING?

TR values your privacy and deeply regrets that this incident occurred. With the help of third-party experts, we are conducting a thorough review of our system and will notify you if there are any significant developments. TR has implemented additional security measures designed to prevent a recurrence of such an incident and to protect the privacy of TR's valued customers.

To date, except for the journalist who contacted us regarding this issue, we are not aware of (nor is there any evidence that) any third party who accessed information that may have been exposed as a result of this incident.

FOR MORE INFORMATION

If you have any questions regarding this incident or if you desire further information or assistance, please email support@TotalRegistration.net or call 800-974-2187 option 2.

We truly apologize for this incident and regret any inconvenience it may cause you.

TotalRegistration’s Update

On Friday, May 17, 2019, TotalRegistration updated MCPS employees with the following information:

Dear Total Registration Community:

We are writing to update you on the previously disclosed data security incident and inform you of the new tools we have created to assist with the identification and notification of students and/or parents should you deem necessary.

What You Can Do

Total Registration has developed multiple resources to assist districts and schools learn more and communicate with constituents if they wish.  Some U.S. and non-U.S. jurisdictions may have laws that require disclosure of certain data security incidents to affected consumers and government regulators.  Below is a description of the resources that we have created to support you:

  • Student lists and sample notice letter and notification tool: We have created a tool to help identify students potentially affected by the incident.  We have also drafted a sample notification letter, which you may choose to adapt to any requirements of applicable jurisdiction(s) and send to your students notifying them of this incident. We have also created a tool to facilitate email notification to your students. School users can access the notification tool through their TotalRegistration.net account under the AP tab (AP => AP Report Center => Communications => Notify Families of Data Security Incident).  District users can notify all families at the district’s schools through their TotalRegistration.net account under the AP tab as well (AP => AP Report Center => Incident Message => Notify Families of Data Security Incident).  Please note that it is important that districts and schools communicate with each other about any notifications.

  • Website: A webpage is available to link from your website if you find it is a helpful resource in providing notice to your students: https://www.totalregistration.net/DSI-FAQ.php

  • FAQ: A list of anticipated questions and answers is available on our website: https://www.totalregistration.net/NDSI.php

What We Are Doing

TR values your privacy and deeply regrets that this incident occurred. With the help of a third-party data security specialist, we are conducting a thorough review of our system and will notify you if there are any significant developments. TR has implemented additional security measures designed to prevent a recurrence of such an incident and to protect the privacy of TR’s customers and their students.

To date, except for the journalist who contacted us regarding this issue, we are not aware of (nor is there any evidence of) any third party who accessed information that may have been exposed as a result of this incident.

Update on What Happened

On the evening of April 11, 2019, we received an e-mail from an individual claiming to be a journalist, in which she informed us that TR may have a misconfigured setting in our Amazon Web Services S3 file storage service.  TR uses the S3 service to temporarily store documents that authorized school personnel and students can generate from particular reports.

Upon receipt of this information, we immediately investigated the matter and remedied the issue by April 12, 2019.  As part of that investigation, we discovered that one of our developers misconfigured a setting within TR’s Amazon S3 file storage service.  Total Registration uses this S3 file storage service to store reports and registration confirmations created by its users. As a result of the setting misconfiguration, certain files (pdf, .csv, .doc) that individual schools can create from reports, which list information about students registered for exams, and copies of registration confirmations generated by individual registrants, may have been available to individuals with knowledge of S3 system architecture who accessed the URL for the TR S3 file storage.

All school-generated reports or student-generated confirmations were only accessible for 48 hours after the applicable file or confirmation was generated.  After 48 hours, each report or confirmation would automatically be deleted. It is important to note that based upon our investigation, only those reports that a user chose to save in .pdf, .csv, or .doc file format were accessible.  If a user viewed or printed a report but did not elect to generate or save a .pdf, .csv, .doc file, there was no file stored in S3. Total Registration set up the S3 file storage service in June 2016, so any files that were created and stored on the S3 service between June 2016 and April 12, 2019, would have been accessible during the 48-hour window between that file’s creation date and its automatic deletion by Total Registration.

Information Involved

The data that may have been exposed was limited to certain information used to register for Advanced Placement, International Baccalaureate, and PSAT/NMSQT exams, based on how individual schools conducted registrations and ran their reports.  Those reports may have included student registration information that students provided when registering for a test, such as name (of students and/or parents), date of birth, language, grade level, sex, student ID, last four digits of Social Security Number (of International Baccalaureate registrants only), physical address (of students and/or parents), email addresses (students and/or parents), phone numbers (of students and/or parents), ethnicity, International Baccalaureate candidate category, and College Board identification number (e.g., SSD), as well as some additional information that may be requested by individual schools for their registrations. The data that may have been exposed did not include any full social security numbers, credit card numbers, or other financial information. It also did not include any medical information, passwords or login information, or any test results or scores.

For More Information

On behalf of the entire TR team, we sincerely regret that this incident occurred.  Your business is extremely important to us and we value the trust you place in us by choosing TR.  We appreciate the support and collaboration so many of you, our customers and partners, have demonstrated throughout this matter.  TR is proud to be your partner in combating this challenge and ensuring your students are protected.

If you have any questions regarding this incident or if you desire further information or assistance, please emailsupport@TotalRegistration.net.

We truly apologize for this incident and regret any inconvenience it may cause you.

MCPS Timeline of Actions

Montgomery County Public Schools was notified of the security incident on May 10, 2019. MCPS immediately reached out to the vendor for clarifying details and to determine the best course of action moving forward. Internally, the Office of the Chief Technology Officer created a cross-office collaborative group including the Office of Curriculum and Instructional Programs, the Office of General Counsel, and the Public Information Office. MCPS quickly determined that TotalRegistration is purchased by and contracted with each high school directly.

While MCPS has asked numerous questions to clarify the amount of data exposed, how many times said data was accessed, or any other details regarding the incident, the vendor has yet to to supply any helpful information regarding specifics around what data was accessed. While the vendor states that they have no evidence of any third party (aside from the journalist) accessing data, they are unable to state with certainty that the data hasn’t been accessed by others. The vendor states that there are no transaction/audit logs to verify this claim.  MCPS has also asked if the vendor has any plans for reparations to the families that are affected, and were notified by Total Registration that “Due to the nature of the incident and the potential data involved (or more importantly not involved), we will not be providing reparations.”

As MCPS is made aware of any additional details regarding this security incident, MCPS will broadcast to our stakeholders as quickly as possible.

Next Steps

MCPS will continue to update the community as additional information is discovered, or disclosed by the vendor. MCPS has a commitment to privacy and paramount to this commitment is transparency. MCPS is actively working to identify and develop strong agreements with our vendors that will best ensure the safety and privacy of our stakeholders.

MCPS will not make any decisions that would impact AP testing for the remainder of the AP testing season. However, as soon as the AP testing season is over, MCPS will re-evaluate our AP registration process so that it is done more safely and effectively.

More Information

For more information on this security incident with TotalRegistration.net, it is recommended that you contact TotalRegistration.net at support@TotalRegistration.net.

Additional questions may be answered already on TotalRegistration’s “Data Security Incident - Frequently Asked Questions” page located here: https://www.totalregistration.net/DSI-FAQ.php

If you need information about whether your particular student is affected by this incident, please contact your child’s high school. If you want to speak with someone from the MCPS central office, please email the incident response dropbox at TR-Databreach@mcpsmd.org.

Sincerely,

Montgomery County Public Schools