Many fathers and mothers who report their child sick to daycare or register them for an upcoming trip use the Stay Informed app. A few clicks on your smartphone and the job is done, practical for parents. After-school care centers, schools and care facilities are also among the customers of the Freiburg company Stay Informed. The app simplifies communication and organization, but educators and parents also use it to exchange highly sensitive child data. Now an anonymous informant has it Computer magazine c’t pointed out a major data leak at Stay Informed.
Names, dates of birth and addresses of minors could be accessed via a security gap, including in some cases data on countries of origin, religious denominations or vaccinations. According to research by c’t magazine, information about legal guardians, emergency contacts and class teachers could also be viewed. In some cases, photos of children and adults that they had set as profile pictures in the app’s chat function were even accessible from outside. Uploaded PDF files and parents’ digital but encrypted signatures were also affected by the data breach.
The office of the State Commissioner for Data Protection in Baden-Württemberg confirmed this South German newspaperthat Stay Informed had contacted them about the matter. In addition, “numerous providers and daycare centers” reported to the authorities about the data leak.
It is unclear whether the data breach was exploited
The reason for the breakdown: A web server from the company Stay Informed was not sufficiently secured, writes c’t. The Freiburg company used outdated software that did not transmit the sensitive data with the necessary https encryption. It remained unclear whether the data breach was exploited by criminals and also how many users were affected.
On Monday, the c’t editorial team informed Stay-Informed managing director Jürgen Thiel about the data leak, whereupon he had the gap closed immediately. According to Thiel, the web server was configured incorrectly. According to him, the data leak has existed since October 2021 at the earliest and since August last year at the latest. 15 percent of the facilities and providers that use Stay Informed were affected. The company informed all institutions on Wednesday afternoon, as well as the data protection officer of the state of Baden-Württemberg.
Thousands of institutions will probably report the data leak to the state data protection authorities throughout Germany in the coming days. More than 11,000 daycare centers, after-school care centers and schools use the app in this country – the company has a total of more than 840,000 users. Educators can communicate directly with parents via the smartphone app and save themselves information sheets, circular emails or notices on bulletin boards that not everyone always gets to read.
Of course, this communication must be protected from outside access, especially since it involves the data of minors. Stay Informed writes on its website that it always develops its software together with IT security experts and data protection officers. Now managing director Thiel, who is responsible for a request from the South German newspaper could not be reached on Friday, asked how the data leak could still have occurred.
In an information email to all affected customers, which was available to c’t magazine, Stay Informed wrote that there were no further data gaps. In the future, the company wants to have the infrastructure scanned weekly. And thus prevent birth dates, addresses or even photos of children from being publicly visible again in the future.