The personal information of almost 100,000 people seeking their high school transcripts was recently exposed on a Web site that helps students obtain their records.
The data included names, addresses, e-mail addresses, phone numbers, dates of birth, mothers' maiden names and the last four digits of the users' Social Security numbers. Although there is no evidence the data were stolen, privacy advocates say the availability of such basic personal information heightens the risk of identity theft.
The availability of the data appears to be the result of a flaw in the way the two-year-old site was designed. It highlights how easily sensitive personal information can be exposed with the proliferation of online businesses and services - many of which do not employ adequate security practices.
"It's an embodiment of most parents' worst nightmare," said Elana Zeide, a research fellow at New York University's Information Law Institute, speaking of the prospect of personal information being made available publicly. "Many of the concerns involve data security, who can access that information and identity theft - and this [site's problem] seems to implicate all of those concerns."
When notified by The Washington Post this month, the company first disputed that the personal information of users was publicly accessible but has now attempted to fix the problem.
The Post learned of the data exposure this month through an individual who claimed to have attempted to order a transcript and, after signing in to the site, encountered an error message containing a link to a publicly available subdirectory on the Web site. That subdirectory contained links to the data of almost 100,000 other individuals. The Post's analysis indicates the issue may date back to the site's inception in February 2012.
The availability of customers' personal information appears to violate the company's own privacy policy, which said it had in place "appropriate physical, electronic and managerial procedure to safeguard and secure the information we collect online."
A review of the records showed 98,818 "Student Records Requests" and 20,183 "Education Verification Release Authorizations" dating back to November 2012. Also exposed were corresponding signatures from individuals requesting the records.
Some of the requests were from background-check services, such as UniversalBackground.com, the U.S. Army and Marine Corps, colleges and even the D.C. Metro Transit Police Department. Some of the requests were made as part of job applications, and the data exposed in some cases showed the organizations to which individuals were applying.
"I'm very concerned," said Jerry Owens Jr., 27, of Upper Marlboro, Md., who sought his transcript last year in connection with a job application and whose details were publicly available through the site. "If somebody gets ahold of your data, that's 'you' on paper," he said. "I've seen my friends go through it. It takes a while for all your credit to get fixed."
The Web site relies on third-party services such as Google Docs to accept applicants' signatures and display their transcript requests. A Google search for a particular high school and "transcript" would sometimes return Needmytranscript.com's portal in the top search results.
The Charlotte-based company was founded by Maria Stephenson, who is the chief executive officer.
"We do a very good job of handling people's privacy," Stephenson said in a phone interview. "We're not in the business of selling anyone's information, and we're not in the business of having anybody log in [to see] or expose anybody's private information."
Stephenson said the site does not handle or store any transcripts, which are provided by the schools to the students.
Her husband and coworker, Demtri Stephenson, said the site gathers no credit card information and all payments are done through PayPal, a separate online payment service.
In an e-mail, he said NeedMyTranscript has investigated the issue and taken steps to secure customer information. The company has hired a cybersecurity firm to investigate the matter further and to ensure proper security measures are in place, he said. "We will continue to monitor activity on the Web site and will take appropriate steps if we discover that information has been acquired in a manner that may result in harm to any of our customers," he said.