A security lapse in India’s Education Ministry’s Digital Infrastructure for Knowledge Sharing (Diksha) app exposed the personally identifying information of millions of students and teachers for over a year.
A cloud server storing Diksha’s data was left unprotected, exposing millions of individuals’ data to hackers, scammers, and virtually anyone who knew where to look. The files stored on the unsecured server contained full names, phone numbers, and email addresses of more than 1 million teachers, and information about nearly 600,000 students.
A security researcher who discovered the exposure in June, contacted Diksha support email, alerting them to the data breach, identifying the source, and offering to share more information but received no response.
This is not the first time Diksha has potentially mishandled sensitive information, a 2022 report from Human Rights Watch found that Diksha was able to track the location of students, and shared data with Google.
It is not clear what actions have been taken by the Indian government or the Ministry of Education in response to this data breach. It is important for any organization or government agency that handles sensitive personal information to take appropriate measures to protect that information, including regular security audits and ensuring that any third-party vendors or partners also have strong security practices in place.
Furthermore, it is crucial for organizations to have a clear incident response plan in place and to promptly notify individuals and authorities if a data breach occurs.