Responds

Father Says He Found a Security Gap on Student-Related Website

A father found a security gap on a site that holds the personal information of students

NBC Universal, Inc.

Elias Castillo is a dog lover and a father. He is quick to explain what he is not.

“I’m not a hacker,” he said. “That’s not what I do for a living.”

He is a cyber security engineer, and when he had to purchase special health insurance so his son could play sports, the school referred him to Health Special Risk, Inc, an insurance company that sells the policies, he said.

“I completed the sign-up process for my kid but then I come back later to the site, just kind of by curiosity to check the security of my kid’s record,” he said. “I found that the site wasn’t really that secure.”

Elias said he did a quick security check of the site and was able to see the records of other students.

“So that was like, whoa, this is pretty simple,” he said. “I shouldn’t be able to access people’s data like that.”

He said the data included personal identifiable information like a student’s name, date of birth, address, school name, phone number and email address.

“I mean the site asks you for the social security number,” he said. “I think it’s just a lot of information that obviously could be used for malicious purposes.”

Elias was so worried that he reached out to NBC 6 Responds.

“By calling you guys, I’m hoping to get a faster response and for them to take this obviously seriously,” he said. “It’s a big deal. It’s people’s private information.”

We contacted Miami-Dade County Public Schools and the insurance company to share what Elias found.

In a statement, HSRI said in part, “After being alerted that an individual gained unauthorized access to certain areas of our website, we immediately investigated the issue and promptly resolved it. We are continuing to investigate the circumstances surrounding that unauthorized access. Protecting the personal data of our customers is our highest priority…”

The school district told NBC 6 Responds that after learning about what happened, it “…reached out to the third party administrator, HSRI …” The district also said, “…it appears that no student data was compromised…”

Elias told us he later checked out the site again.

“I was happy and very excited to see that they had already fixed it,” he said.

Contact Us