“Stay Informed”: Tech magazine reports on a security gap in a popular daycare app

Shared meal in a daycare center (symbolic image): Over 11,000 facilities use “Stay Informed” as a communication channel

Photo: Waltraud Grubitzsch/dpa

There was apparently an IT vulnerability in the widely used “Stay Informed” service that put the data of numerous users at risk. As the computer specialist magazine “c't” reports, information such as names, dates of birth and addresses of minors could be accessed from outside via the vulnerability. In some cases it was even possible to access information about countries of origin, vaccinations and religious denominations. According to “c’t” research, information on legal guardians, emergency contacts and class teachers was also affected.

According to the magazine, a web server belonging to “Stay Informed” is inadequately secured. In addition, outdated software was used and the data was not transferred using https encryption. According to the report, in some cases the server also contained photos of children and adults who had uploaded them as profile pictures for a chat function.

It initially remained unclear whether the vulnerability was exploited by criminals; the magazine had received an anonymous tip about the vulnerability. It also remained unclear exactly how many users the problem affected. According to c't, there were 16,000 image files and 1,500 CSV files on the open server, each of which was said to have contained "personal data from a large number of people."

800,000 users

In total, the “Stay Informed” app, which is operated by Freiburger Stay Informed GmbH, is used by just over 11,000 facilities such as daycare centers, schools and after-school care centers. According to its own information, it has over 800,000 users. Parents can use the app to access appointments and information about their children’s care centers. It is also possible to report sickness or contact carers via the app.

According to “c’t,” the app operators immediately remedied the problem after the magazine brought it to their attention. The company's managing director notified all facilities that use its software on Wednesday, the magazine's report continued. According to him, the misconfiguration of the web server that put the data at risk had existed since October 2021 at the earliest and August 2023 at the latest.

The data protection officer for the state of Baden-Würtemmberg confirmed to SPIEGEL that it was informed about the incident by the company “Stay Informed”.

Daycare centers should report incidents to the authorities

In fact, numerous reports could be received by local data protection authorities in the coming days. “Stay Informed” advises institutions that use the service to inform the data protection supervisory authority responsible for them in their respective federal state. Baden-Württemberg's data protection officer reported that there were already reports from numerous institutions or providers in the state.

The operators of the app see themselves as software service providers; they see daycare centers, schools and after-school care centers as responsible for data protection. This would mean that some already overburdened care facilities would now also have to deal with questions of data protection law.