A recent security lapse involving Ravenna Hub, an online admissions platform used by families to enroll children into schools, highlights a common challenge in modern application security: even basic vulnerabilities can lead to outsized data exposure when sensitive information is insufficiently protected.
In this case, a flaw known as an insecure direct object reference (IDOR) allowed any authenticated user to access the personal data of other users by modifying a numeric identifier in a URL. The exposed information reportedly included children’s names, dates of birth, home addresses, photos, and parental contact details. By any standard, these are all sensitive pieces of data.
IDOR vulnerabilities are well understood and preventable through proper authorization checks. However, incidents like this continue to occur, in part because many applications rely almost entirely on perimeter-centric controls like authentication, session management, and network security. This approach inherently assumes that data accessed by the application is safe once a user is logged in. That means access to the data was minimally governed, not scoped to those with a right to know; any active user could access any child’s information if they had the correct URL — and the URLs were sequential numbers.
Assumptions like these don’t make sense in a robust, holistic security strategy.
Rather than relying solely on the application layer to decide who can access sensitive information, data-centric approaches apply protections directly to the data itself. Down at the data level, sensitive fields can be encrypted and tied to explicit access policies. This means that even if an application flaw allows unauthorized access to a record, the data may remain unreadable to parties that lack the entitlement to view it.
In practical terms, this shrinks the impact of a vulnerability. A broken access control may still exist, but the outcome changes from widespread exposure of readable personal data to a far more limited incident involving encrypted information that cannot be easily misused. This reduction in blast radius can minimize harm, particularly when dealing with children’s data or other regulated personal information.
Data-centric protections also improve visibility after an incident. Fine-grained access controls and audit logs can help organizations determine whether sensitive data was actually accessed, by whom, and under what circumstances. This information is often missing when breaches are discovered.
One of Virtru’s customers described it well: An audit trail makes a big difference in beach response and remediation. Jason Karn, Chief Compliance Officer at Total HIPAA, described the importance of these logs when it comes to a HIPAA breach via email.
“Just having data encrypted point-to-point doesn't solve the problem,” said Karn. “It's just one issue, but if that's all it took, then Gmail, Google Workspace, and Office 365 would be sufficient. The real issue is, ‘What do you do when you send PHI to the wrong person?’ We have people with multiple ‘Johns’ in their contact list — they may send it to the wrong John. We had a client going through a major breach because of social engineering: Someone spoofed a member of upper management, and an employee sent out a file with names and PHI.
It became a real issue — we had to report it as a breach to The Department of Health and Human Services. If they’d had Virtru, they could have just denied access to the email and this entire crisis could have been averted. The impact would have been limited, it would have had tracking, and they could have changed the access controls. Now, the horse is out of the barn. The barn is on fire. It’s, ‘What do we do now?’’“
The Ravenna Hub situation may not be an incident that data-centric tools could have prevented entirely. However, said tools are an essential part of any security equation and can help significantly. In this particular case, any measure to further protect children’s personally identifiable information (PII) would be smart to implement as an additional layer of security.
When it comes to protecting children’s data, caution is always the best policy. As Virtru customer Showkat Choudhury, CIO at Central State University, puts it, students are “just starting their lives. At this early age, if they lost their most securely held information — date of birth, health records, social security numbers — if it’s compromised just one time, that information may float on the web for decades.”
It is important to note that no single security control can eliminate the risk of application vulnerabilities. Secure development practices, data governance, testing, and monitoring remain essential.
But as this story demonstrates, protecting sensitive data only at the application boundary leaves organizations exposed when inevitable mistakes occur. Embedding security directly into the data itself provides an additional layer of defense that can significantly limit the consequences of common, but costly, security flaws.