An app operated by India’s Education Ministry has exposed the personally identifying information of millions of students and teachers for over a year, leading to a serious security lapse. The data was stored by the Digital Infrastructure for Knowledge Sharing app, or Diksha, a public education app launched in 2017. As schools were shuttered across the country due to the Covid-19 pandemic, Diksha became a primary tool for students to access materials and coursework from home. However, a cloud server storing Diksha’s data was left unprotected, exposing millions of individuals’ data to hackers, scammers, and virtually anyone who knew where to look.
Files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers. The teachers worked for hundreds of thousands of schools located in every state in India, according to data in the files verified by WIRED. Another file contained information about nearly 600,000 students. While the students’ email addresses and phone numbers were partially obscured, the data included the students’ full names and information about where they went to school, when they enrolled in a course through the app, and how much of the course they completed.
According to a UK-based security researcher who identified the exposure, there were thousands of files like this on the server. The researcher, who asked not to be named because they were not authorized to speak to the media, initially discovered the exposure in June and contacted the Diksha support email, alerting them to the data breach, identifying the source, and offering to share more information. However, the researcher received no response.
“There’s zero chance that it hasn’t been accessed and downloaded by a bunch of other people,” the employee says of the exposed data.
WIRED reached out to the Ministry of Education and did not receive a response. Diksha was developed by EkStep, a foundation co-founded by Nandan Nilekani, who helped develop Aadhar, the country’s national identification system. According to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, while the foundation had been supporting Diksha for many years, India’s Ministry of Education ultimately implements the security and policies for how data is managed on Diksha. However, after WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline.
This isn’t the first time Diksha has potentially mishandled sensitive information. A 2022 report from Human Rights Watch found that Diksha not only was able to track the location of students, but also shared data with Google. In many cases, the Indian government mandated that teachers and students use Diksha, and Hye Jung Han, a researcher at Human Rights Watch who authored the 2022 report, says that the government provided no alternative methods for those who may not have wanted to use the app.
“What’s happening there from a child-rights lens is, you are fulfilling your responsibility to provide free education to every child, but the only type of state education that you’re making available is one that inherently violates kids’ rights,” says Han.
The unsecured storage server was hosted on Azure, Microsoft’s cloud storage service. It’s unknown how long the data was left unprotected, but Google indexed more than 100 files from this server as early as October 2018. In other words, information stored on this vulnerable server was likely findable through a simple Google search for at least four years. While WIRED could not find instances of sensitive student and teacher data through a Google search, files with sensitive data were available for download through Grayhat Warfare, a searchable database of unsecured servers popular with security researchers and hackers.
This security lapse is a serious concern for students and teachers whose personal information has been exposed for over a year, and it raises questions about the responsibility and accountability of the Indian government and the organizations responsible for managing and securing the data. The fact that the data was left unprotected for so long, and that there have been previous issues with the mishandling of sensitive information, highlights the need for stricter regulations and oversight in the handling of personal data in India.
It is imperative that the Indian government takes immediate action to address this security lapse, and that steps are taken to ensure that personal data is protected in the future. This includes conducting a thorough investigation into the cause of the data breach, as well as implementing stricter security measures to prevent similar incidents from happening in the future. Additionally, the government should provide compensation and support for those affected by the data breach, including identity theft protection and credit monitoring services.
Furthermore, the government should also consider providing alternative methods for education that do not require the use of mandatory apps that handle personal data. This will give individuals the freedom to choose how they access and receive education without compromising their privacy.
In conclusion, the security lapse in India’s public education app, Diksha, has exposed the personal information of millions of students and teachers for over a year. This highlights the need for stricter regulations and oversight in the handling of personal data in India. The Indian government must take immediate action to address this security lapse, and ensure that personal data is protected in the future. Additionally, providing alternative methods for education that do not require the use of mandatory apps that handle personal data will give individuals the freedom to choose how they access and receive education without compromising their privacy.