A partner of the Boy Scouts of America inadvertently exposed the personal information of children and their parents last month.
What happened: Boy Scouts nationwide sell popcorn to raise funds for activities like camping trips — just like Girl Scouts sell cookies. To facilitate the sales process, Boy Scouts of America uses a third-party fundraising organization called Trails End.
All scouts are instructed to enter certain personal information so they can attain a public sales page, which they can use to share with friends and family members to drum up their popcorn sales. Scouts and their parents share these pages on social media, so it’s possible to find them through a Google search.
Last week, Trails End said it notified Boy Scouts of America and local councils of “a data incident” that a web developer noticed. Certain information — including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation (council, district, unit) — was visible through a search.
It’s unclear how many users’ information was vulnerable during the “incident,” and whether it was a local issue or a national one. Mecklenburg County Council includes roughly 11,900 youth participants alone, according to the group’s website.
Nationwide, Boy Scouts of America has more than 2.3 million youth members between the ages of 7 and 21 and nearly 1 million adult volunteers, according to its website.
It’s also unclear how long the information was exposed. In an email disclosure to users, Trails End said it had fixed the problem that would have allowed unauthorized users to view the data.
“We apologize for this incident,” the company wrote last week. “We are taking steps to increase the security and monitoring of our systems and will continue to put our users first.”
Trails End refuted the characterization of the issue as a “leak.”
“The person who accessed the data is a Scout parent who is a web developer and knew how to find information that most users do not,” chief information officer Chris Naviaux said.
In an email to the Agenda, Boy Scouts of America acknowledged the breach and called the privacy of its customers “a top priority.”
The nonprofit could not be reached for additional comment.
Why it matters: As more transactions occur online, the incident calls into question just how secure children’s personal information is on the Internet.
Johanna Casey, whose elementary school-aged son is a scout in Wake Forest, did not receive a disclosure from Trails End or Boy Scouts of America. She said selling popcorn through Trails End is “basically a requirement” to cover the costs of activities for her son’s troop, which has about 40 kids. The sale is going on now and lasts through late October, she said.
“It definitely is concerning,” Casey said of the data breach.
Bill Chu, a professor of software and information systems at UNC Charlotte, said it’s not surprising to encounter data breaches among small companies.
“The problem is, a lot of the third-party vendors, particularly small companies, don’t really have good security programs. Some of them are nonexistent; some are very rudimentary,” Chu told the Agenda.
After all, investing in cybersecurity is expensive. The costs add up for organizations to train cybersecurity professionals, invest in new security technology, and to ensure security processes are up to speed, such as patching computers and securely configuring networks.
Chu noted that the Boy Scouts affiliate’s data leak did not expose ultra-sensitive information such as social security numbers or bank information.
“In the grand scheme of things, there is some information that’s more sensitive than others,” Chu said.
Potential bad actors who gained access to the Boy Scouts’ information would therefore be limited in what they were to do with it. The main thing, Chu said, would be phishing emails. A phishing message would attempt to elicit more sensitive information from a recipient by portraying itself, the sender, as legitimate.
The breach comes at a time of significant changes for Boy Scouts of America.
Last year, for the first time in its history, the organization allowed girls to join some of its scouting programs.
Boy Scouts of America, founded in 1910, is also considering filing for bankruptcy as it faces declining membership and mounting legal fees that stem from cases of sexual abuse allegations, the Wall Street Journal reported in December.