College Athlete Recruiting Software Exposed Students' Medical Info, Grades

The exposed information from company Front Rush included physical evaluations, post-injury reports, and performance reviews from specific teams for particular players.
Football team
Image: miodrag ignjatovic

Front Rush, a technology company that provides services to college athletics programs, exposed a server containing more than 700,000 files to the open internet, including college athletes' medical records, performance reports, driver licenses, and other personal information.

Front Rush works with over 30,000 coaches and 9,500 teams according to its website. The company confirmed the data exposure in a statement.


"The privacy of our users' information is our top priority and we have extensive policies in place to protect that data. The bucket is closed and we will continue to monitor the server to ensure the highest security," a spokesperson wrote in an email, referring to the Amazon Web Services (AWS) server that was exposed.

Items exposed included students' SAT scores, personal address, date of birth, physical evaluations, post-injury reports, performance reviews from specific teams for particular players, and athletic financial aid agreements.

Do you know about another data exposure? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

"Front Rush offers many industry-leading roster and recruiting features for coaches, combined with customized support services and access to game-changing scouting capabilities. Our Front Rush Essentials and ELITE packages are designed to service the unique needs of all coaches, at all levels," Front Rush's website reads.

A security researcher discovered the exposed server and flagged the issue to Motherboard. Motherboard granted the researcher anonymity to speak more openly about a data exposure.

The researcher said they originally warned Front Rush of the issue on Sunday. When the company did not respond or take action, the researcher contacted Motherboard on Tuesday. Front Rush has since closed off the server.

Subscribe to our cybersecurity podcast, CYBER.