security bug The app, operated by the Indian Ministry of Education, exposed the personal information of millions of students and teachers for more than a year.
The data was stored on the Digital Infrastructure for Knowledge Sharing or Diksha app, a government educational app launched in 2017. In the midst of the Covid-19 pandemic, when the government was forced to close schools across the country, Diksha became the go-to tool for students to access materials and coursework from home.
But the cloud server that stored Diksha’s data was left unprotected, exposing millions of people’s data to hackers, scammers, and just about anyone who knew where to look.
Files stored on an insecure server contained the full names, phone numbers and email addresses of more than 1 million teachers. According to the data in the files checked by WIRED, teachers worked in hundreds of thousands of schools located in every state of India. Another file contained information on nearly 600,000 students. While students’ email addresses and phone numbers were partially hidden, the data included students’ full names and information about where they went to school, when they signed up for a course through the app, and which part of the course they took.
According to the British security researcher who discovered the vulnerability, there were thousands of such files on the server. (The researcher asked not to be named because he is not authorized to speak to the media.)
After discovering the revelation in June, the researcher contacted Diksha support via email, alerting them to the data breach, identifying the source, and offering to share more information. They didn’t get a response. “There is no chance that they weren’t accessed and downloaded by a group of other people,” the employee says about open data.
WIRED contacted the Ministry of Education and received no response.
Deeksha was developed by EkStep, a foundation co-founded by Nandan Nilekani who helped develop Aadhar, the country’s national identification system. According to Deepika Mogilishetti, head of policy and partnerships at EkStep, while the foundation has been supporting Deeksha for many years, the Indian Ministry of Education ultimately enforces security and data governance policies in Deeksha. However, after WIRED sent Mogilishetta’s links to an insecure server, it was quickly taken down.
This is not the first time Deeksha has potentially mishandled sensitive information. AND report for 2022 Human Rights Watch found that Deeksha not only track student location, but also shared data with Google. In many cases, the Indian government has mandated teachers and students to use diksha, and He Jung Han, researcher at Human Rights Watch, author of the 2022 report, says the government has not provided alternative methods for those who may not have wanted to use diksha. Appendix.
“What is happening in terms of child rights is that you are fulfilling your obligation to provide a free education to every child, but the only type of public education that you make available is one that inherently violates children’s rights,” Khan says. .