# Children's Data Breached in Admissions Site Vulnerability
A student admissions website used by families to enroll children into schools has exposed sensitive personal information through a significant security lapse[3]. The vulnerability, which has since been fixed, highlights growing concerns about how educational technology platforms protect children's data in an increasingly regulated environment.
What Happened in the Admissions Site Breach
The security flaw allowed unauthorized access to children's personal information stored on the admissions platform[3]. This incident comes amid a broader pattern of data breaches affecting educational institutions and student information systems. The vulnerability represents a critical failure in security protocols designed to protect one of the most sensitive categories of personal data: information belonging to minors.
Educational technology platforms handling student enrollment data face particular scrutiny because they collect comprehensive personal details including names, contact information, dates of birth, and sometimes medical or special needs information. The exposure of such data through a public-facing admissions website demonstrates how easily attackers can exploit configuration errors or unpatched vulnerabilities to access protected information at scale.
Rising Regulatory Pressure on Children's Data Protection
Federal regulators have made children's privacy protection a top enforcement priority, with the Federal Trade Commission (FTC) implementing significant new requirements under the amended Children's Online Privacy Protection Act (COPPA)[6]. The updated rules, which take effect in April, mandate that operators collecting data from children under 13 establish written information security programs and data retention policies[4].
The FTC's enforcement actions reflect this heightened focus. Recent settlements include a $20 million penalty against Cognosphere for collecting personal information from children in violation of COPPA through its video game Genshin Impact, and a $500,000 penalty against robot toy maker Apitor for collecting geolocation data without parental consent[5]. These actions signal that regulators intend to enforce children's privacy requirements aggressively across all sectors, including education technology.
Beyond federal regulations, states have begun implementing their own protections. New York's Child Data Protection Act restricts data collection from minors, limits certain design features deemed harmful, and prohibits targeted advertising to minors[6]. Similar age-gating and parental consent regimes have been adopted in Utah, Arkansas, and Louisiana[6].
Learning from Major Education Sector Breaches
The admissions site vulnerability adds to a troubling pattern of breaches in the education sector. One of the largest education-sector data breaches ever investigated in Canada involved PowerSchool, a student information system widely used by Canadian school boards[1]. In late 2024, threat actors gained access using compromised credentials from a support contractor, exfiltrating sensitive data affecting millions of individuals across multiple provinces[1].
The PowerSchool investigation revealed that compromised data included names, dates of birth, contact details, student ID numbers, medical alert fields, accommodations, and guardianship indicators[1]. Similarly, the Illuminate Education breach exposed personal information of millions of students across multiple states, including over 434,000 California students and 1.7 million New York students[5]. That breach occurred when a hacker accessed Illuminate's network using credentials from a former employee whose access had not been removed[5].
Regulators investigating these breaches found that school boards remained legally responsible for protecting personal information even when third-party vendors operated the systems[1]. The investigations highlighted failures in cybersecurity safeguards, contract management, data retention practices, and breach preparedness[1].
What Organizations Must Do to Comply
Educational technology providers and school districts must now implement comprehensive security measures to meet evolving regulatory requirements. Under the amended COPPA rules, operators must designate employees to coordinate information security programs, conduct risk assessments at least annually to identify risks to children's data, and design safeguards to control identified risks[4].
Organizations also face new requirements for obtaining verifiable parental consent. Approved methods include requiring parents to use a credit card for transaction alerts and using knowledge-based authentication with multiple-choice questions that would be difficult for children age 12 and younger to answer[4]. Additionally, companies must establish and publish written data retention policies specifying how long children's information will be kept[4].
The FTC has signaled that its enforcement priorities include protecting children's privacy, halting unfair collection and selling of sensitive data, and pursuing violations involving deficient security practices[5]. Compliance deadlines are approaching, with many organizations needing to prioritize updates to their data collection, retention, security, and disclosure practices by April 2026[4].
Frequently Asked Questions
What personal information is typically exposed in education sector breaches?
Education sector breaches commonly expose names, dates of birth, contact information, student ID numbers, Social Security numbers, medical alert information, and special accommodations or guardianship indicators[1][2]. The specific data varies depending on what information schools collect and store in their systems.
Who is legally responsible for protecting student data when a third-party vendor is breached?
School boards and educational institutions remain legally responsible for protecting personal information even when third-party vendors like PowerSchool or Illuminate Education operate the systems[1]. This means schools cannot shift all liability to vendors and must ensure adequate contract management and cybersecurity oversight.
What are the new COPPA requirements taking effect in 2026?
The amended COPPA rules require website and online service operators collecting data from children under 13 to establish written information security programs, conduct annual risk assessments, implement data safeguards, maintain written data retention policies, and obtain separate verifiable parental consent before sharing children's data with third parties[4][6].
How much have the FTC fined companies for children's privacy violations?
Recent FTC penalties include $20 million against Cognosphere for collecting children's data without consent through Genshin Impact, $5.1 million against Illuminate Education for false security claims and inadequate protections, and $500,000 against Apitor for collecting geolocation data without parental consent[5].
What should parents do if their child's information was exposed in an admissions site breach?
Parents should monitor their child's credit reports, enroll in available identity protection services if offered by the affected organization, watch for suspicious activity, and consider placing a fraud alert or credit freeze on their child's accounts[2]. Many breached organizations now offer free credit monitoring services like Experian IdentityWorks to affected families.
Are there state-level privacy laws protecting children's data beyond COPPA?
Yes, states including New York, Utah, Arkansas, and Louisiana have implemented their own privacy protections for minors[6]. New York's Child Data Protection Act restricts data collection, limits addictive design features, and prohibits targeted advertising to minors[6]. These state laws may face constitutional challenges but represent a clear regulatory trend toward heightened protections for children's data.
🔄 Updated: 2/19/2026, 3:21:07 PM
**BREAKING: Expert Analysis on Children's Data Breach in Admissions Site Vulnerability**
Cybersecurity experts warn that the recent bug in a major student admissions website, now patched, exposed sensitive personal information of potentially thousands of children, underscoring vulnerabilities in ed tech platforms amid rising breaches like Illuminate Education's 2025 incident affecting over **434,000 California students** and **1.7 million New York students**[5]. FTC Associate Director insights via Womble Bond Dickinson emphasize that amended COPPA rules demand "written information security programs" with annual risk assessments and separate parental consent for third-party sharing, signaling aggressive 2026 enforcement[4][7]. Industry voices at Bryan Cave Leighton Paisner note regulators are prioritizin
🔄 Updated: 2/19/2026, 3:31:14 PM
**LIVE NEWS UPDATE: PowerSchool Stock Plunges Amid Massive Children's Data Breach Fallout**
PowerSchool shares tumbled **12.4%** in midday trading Thursday, shedding over **$450 million** in market cap to close at **$21.67** per share, as investors reacted to revelations that hackers exploited a basic lack of two-factor authentication to steal data on **50 million+ students** and parents, including SSNs and medical records[1][2][3]. CEO Hardeep Gulati admitted in a March 2025 letter, "we made the decision to pay a ransom because we believed it to be in the best interest of our customers," fueling concerns over the firm's security lapses highlighted i
🔄 Updated: 2/19/2026, 3:41:09 PM
A **security vulnerability in a student admissions website exposed children's personal information**, prompting the platform to fix the flaw[1]. The incident reflects broader regulatory momentum, as the FTC's amended COPPA Rule—now in effect—requires companies to establish written security programs, conduct annual risk assessments, and implement safeguards to protect children's data, with organizations having until April to achieve full compliance[3]. Industry experts warn that many organizations will need to "prioritize and update their data collection, retention, security, and disclosure practices" to meet the heightened standards, signaling that enforcement actions against inadequate cybersecurity protections will intensify across federal and state agencies[5].
🔄 Updated: 2/19/2026, 3:51:18 PM
**Ravenna Hub, a student admissions platform, fixed a critical security flaw that exposed personal data of children applying to schools[7].** The vulnerability allowed unauthorized access to sensitive information submitted by families during the enrollment process, though specific details about the scope of exposed records and types of data compromised were not disclosed in available reports[6][7]. The platform's remediation highlights ongoing cybersecurity vulnerabilities in education technology systems, following major breaches at PowerSchool and Illuminate Education that collectively exposed data on millions of students[2][1].
🔄 Updated: 2/19/2026, 4:01:35 PM
**BREAKING: Ravenna Hub Admissions Site Vulnerability Exposes Children's Data, Drawing Expert Scrutiny on COPPA Compliance.**
Cybersecurity experts hailed Ravenna Hub's rapid patch of the critical flaw in its student admissions platform, which exposed personal details of thousands of children applying to schools, but warned it underscores "persistent gaps in access controls for minor data."[1][3] FTC enforcement trends, including a $5.1 million settlement with Illuminate Education for breaching 434,000 California students' records via unrevoked ex-employee access, signal regulators will demand "written security programs and annual risk assessments" under amended COPPA rules effective April 2026.[4][5] Industry firm White & Case urges operator
🔄 Updated: 2/19/2026, 4:11:17 PM
A **student admissions website** has fixed a critical security vulnerability that exposed children's personal information during the enrollment process[5][7]. The Ravenna Hub platform, used by families to enroll children into schools, addressed the flaw after it was discovered to be exposing sensitive data[7]. However, the search results do not contain specific information about consumer reactions, public response, concrete numbers of affected families, or direct quotes from parents or advocacy groups regarding this incident.
🔄 Updated: 2/19/2026, 4:21:24 PM
A student admissions website fixed a **critical security flaw** that exposed children's personal information[2][4]. The Ravenna Hub platform, used by families to enroll children into schools, had the vulnerability patched after it was discovered exposing sensitive data of applicants[4]. The breach underscores growing regulatory pressure on educational platforms, as the FTC's amended COPPA Rule now requires written security programs for children's data and mandates separate verifiable parental consent for third-party data sharing[5][6].
🔄 Updated: 2/19/2026, 4:31:32 PM
A critical security flaw in **Ravenna Hub**, a student admissions platform serving over a million students, exposed children's personal information including names, dates of birth, addresses, and school details to any logged-in user through an insecure direct object reference vulnerability[1]. The bug, which allowed sequential manipulation of student profile numbers to access up to 1.63 million records, has raised competitive concerns as the exposure potentially revealed which schools families were targeting and application statuses—sensitive intelligence for rival admissions platforms and education technology providers[1][2]. VentureEd Solutions, the Florida-based developer, patched the vulnerability the same day TechCrunch disclosed it on Wednesday, though the incident under
🔄 Updated: 2/19/2026, 4:41:28 PM
**Ravenna Hub, a student admissions platform serving over 1 million students, exposed sensitive children's data including names, dates of birth, addresses, and photographs through an insecure direct object reference vulnerability that allowed any logged-in user to access records by modifying sequential student profile numbers in the browser address bar.[1]** The Florida-based VentureEd Solutions fixed the flaw after TechCrunch disclosed it, with approximately 1.63 million student records potentially accessible before the patch was implemented.[1] The breach underscores growing regulatory pressure on youth-focused services, as federal and state regulators have intensified enforcement around children's privacy protections, with the FTC recently impos
🔄 Updated: 2/19/2026, 4:51:28 PM
A critical security flaw in **Ravenna Hub**, a student admissions platform serving over a million students, exposed children's personal information including names, dates of birth, addresses, photographs, and school details to any logged-in user.[1] The vulnerability, an insecure direct object reference (IDOR) that allowed access by simply modifying sequential student profile numbers, potentially affected more than 1.63 million records before TechCrunch discovered and reported it on Wednesday.[1] VentureEd Solutions, the Florida-based company behind Ravenna Hub, fixed the bug the same day of notification.[1]
🔄 Updated: 2/19/2026, 5:01:44 PM
A critical security vulnerability in **Ravenna Hub**, a student admissions platform serving over a million students, exposed children's names, dates of birth, addresses, photographs, and parent contact information to any logged-in user through an insecure direct object reference flaw[1]. The bug allowed access to approximately **1.63 million records** before it was patched, with sequential student profile numbers making it possible for competitors or bad actors to view other families' application data, school choices, and enrollment status across thousands of schools[1][2]. VentureEd Solutions, the Florida-based company behind Ravenna Hub, fixed the vulnerability the same day TechCrunch disclosed it on Wednesday, though questions
🔄 Updated: 2/19/2026, 5:11:35 PM
A critical security vulnerability in **Ravenna Hub**, a student admissions platform serving over a million students, exposed sensitive personal information including children's names, dates of birth, addresses, photographs, and school details to any logged-in user through an insecure direct object reference (IDOR) flaw.[1] The vulnerability, discovered Wednesday and patched the same day, potentially affected slightly more than 1.63 million records due to sequential student numbering that allowed users to access another student's profile by simply modifying digits in the web address.[1] Security experts warn that exposure of children's data poses heightened risks—the Federal Trade Commission has cautioned that minors' identities can be exploited undet
🔄 Updated: 2/19/2026, 5:21:42 PM
**BREAKING: Expert Analysis on Ravenna Hub Children's Data Breach**
Security experts identified the flaw in Ravenna Hub—a platform serving over **1 million students** and processing **hundreds of thousands** of applications yearly—as a classic **insecure direct object reference (IDOR)** vulnerability, where logged-in users could alter sequential seven-digit profile IDs in the browser to access any of **1.63 million** children's records, exposing names, birth dates, addresses, photos, school details, and parents' contact info.[1][2] Industry observers warn that such basic access control failures in youth platforms heighten risks like prolonged identity fraud in minors, who evade routine credit checks, and real-world safety threats from leaked addresses amid custody o
🔄 Updated: 2/19/2026, 5:31:41 PM
A critical security vulnerability in **Ravenna Hub**, a student admissions platform serving over a million students, exposed children's personal information including names, dates of birth, addresses, and school details to any logged-in user before being patched on Wednesday[1]. The breach has drawn attention amid intensified federal enforcement priorities, as the FTC's amended **COPPA Rule**—now in effect—requires companies to establish written security programs for children's data and mandates separate verifiable parental consent for third-party data sharing, with the agency signaling aggressive enforcement against violations[7]. VentureEd Solutions, which operates Ravenna Hub, has not publicly disclosed oversight of its cybersecurity practices, raising questions
🔄 Updated: 2/19/2026, 5:41:43 PM
**Ravenna Hub, a student admissions platform serving over a million students, exposed the personal data of approximately 1.63 million children through an insecure direct object reference (IDOR) vulnerability that allowed any logged-in user to access other students' records by simply modifying sequential profile numbers in the website's address bar.**[1] The breach exposed sensitive information including children's names, dates of birth, addresses, photographs, school details, parents' email addresses and phone numbers, and sibling information—data that poses heightened risks for identity fraud and physical safety threats given minors' lack of routine credit monitoring.[1][2] VentureEd Solutions, the Florida-based company that develops