Lessons learned from the ProctorU breach: Be transparent and timely

David Strom 18 Aug 2020

The recent ProctorU breach affects the brand, students, and the future of the virtual classroom landscape alike

As more online learning is happening thanks to virtual classrooms, the potential for data breaches and malware spread increases. That is because these remote connections and user data collected could be compromised by hackers.

Last month, hackers posted online leaked data belonging to ProctorU, an online exam-taking platform for college students. The website offers the ability to monitor a student remotely and determine if they are cheating while taking the test. Just like an on-premises proctor can walk the classroom and observe behavior, the online proctors can ask the student to show them parts of their room with their webcam or share their screen.

Details of the breach

Data from nearly half a million student accounts was posted, containing email addresses, full names, addresses, phone numbers, hashed passwords, and the affiliated colleges. Fortunately, no financial records or test results were leaked. The link above has a sample screenshot of the data, which has been verified as genuine. The data leak was part of a larger breach that Bleeping Computer wrote about earlier in July that involved more than 380 million records collected from 18 different corporate sources.

ProctorU representatives didn’t immediately respond to requests from the Bleeping Computer writers. It took several weeks and another investigation by student reporters at the University of Sydney Australia student newspaper Honi Soit before the company admitted the breach in this brief notice on the company’s website. The notice – which was posted a few days after the student paper’s article -- is very carefully worded saying that only customers who had signed up prior to March 2015 were at risk. However, what was not stated in the notice is that the leaked data from these customers could span several years from 2012-2017. Granted, having a short notice posted is better than no notice at all, but the company could have been more specific and forthcoming.

The student paper reported that students raised privacy concerns with the University back in May and requested that ProctorU be replaced with another solution.

What we can learn from ProctorU's response

Delays of weeks aren’t the longest reported in the current crop of breaches, but what the ProctorU situation shows is a lack of cooperation with security researchers and a lack of transparency with business journalists. This harms their corporate brand and erodes their customers’ trust in their business. This is especially relevant for software such as what ProctorU offers, because hackers can take advantage of remote control tools or design malware to mimic their actions.

Related articles

--> -->