Security News > 2021 > October > Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers

Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers
2021-10-12 09:15

An email marketing company claiming to hold details on a million UK teachers and school admin personnel was potentially exposing those to the public internet thanks to a misconfigured error page on its website.

Not only that, but the Schools Marketing Company seemingly dismissed the findings of the infosec company which spotted the flaw when the infoseccers tried to draw its attention to the problem.

An email shown to The Register by Pen Test Partners, described by the firm's consultant Andrew Tierney as "The most arrogant response I've ever had to a disclosure," said the company wasn't interested in hearing about the vulnerability.

The Schools Marketing Company website boasts that it is "GDPR and PECR compliant, registered with the Information Commissioner since 2007" and that it has "Over one million personal, school emails for UK teachers and staff, working in over 250 job function areas in schools."

Most companies receiving a disclosure from a reputable firm tend to take it seriously - with the best in the industry having proper vuln disclosure policies and a security.

The ICO has been made aware of the potential breach and confirmed that Schools Marketing Company is a registered data processor.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/12/schools_marketing_company_database_credentials_exposed/