Student Data Exposed In Total Registration Security Incident

by Vendela Krenkel ‘20

On April 11, TotalRegistration.net, an online tool used to register for AP and PSAT testing, was notified of a potential security breach in its data storage platform. Total Registration is used by 22 of the 26 high schools in MCPS, Sherwood being one of them.

This security incident was brought to light by a journalist that discovered a misconfiguration in Total Registration’s Amazon S3 file storage service that could allow confidential student information to be accessed by a third party, such as name, address, and date of birth. Total Registration was adamant that sensitive elements of registration, such as social security number, credit card and login information, financial or medical information, and test scores, would not be available to any third party that had gained access to the exposed data.

Immediately after being warned, Total Registration began to take steps to remedy this issue. On April 12, the website redesigned its file storage service to upgrade their security. After reconfiguring the Amazon S3 service, Total Registration implemented new resources to prevent breaches from occurring again, such as student lists to better identify students that were potentially impacted, sample notice letters for school systems to send out to their families, and a notification tool to enhance communication between districts and their jurisdictions.

All student registration information files were deleted 48 hours after confirmation. Total Registration originally set up the failed data storage system in June 2016, so any registrations completed from that point to April 12, 2019 could have been accessed by third party sources. As of May 17, Total Registration insists that they are not aware of any evidence that any third party actually came across the information exposed, but are uncertain of whether others have.

MCPS continues to press for clarifications of how many students’ data was exposed in the incident, and how it could have been accessed, although in its last email to MCPS recipients, Total Registration had not yet replied with specifics. Now that AP exam season has ended, MCPS plans to reassess AP registration options to ensure students’ safety and security.