A security lapse in an app operated by India’s Education Ministry exposed the personally identifying information of millions of students and teachers for over a year.
The data was stored by the Digital Infrastructure for Knowledge Sharing app, or Diksha, a public education app launched in 2017. At the height of the Covid-19 pandemic, when the government was forced to shutter schools across the country, Diksha became a primary tool for allowing students to access materials and coursework from home.
But a cloud server storing Diksha’s data was left unprotected, exposing millions of individuals’ data to hackers, scammers, and practically anybody who knew where to look.
Files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers. According to data in the files, verified by WIRED, the teachers worked for hundreds of thousands of schools located in every state in India. Another dossier contained information about almost 600,000 students. While the students’ email addresses and phone numbers were partially obscured, the data included the students’ full names and information about where they went to school, when they enrolled in a course through the app, and how much of the course they completed.
According to a UK-based security researcher who identified the exposure, there were thousands of files like this on the server. (The researcher asked not to be named because they were not authorized to speak to the media.)
After initially discovering the exposure in June, the researcher contacted the Diksha support email, alerting them to the data breach, identifying the source, and offering to share more information. They received no response. “There's zero possibility that it hasn't been accessed and downloaded by a bunch of other people,” the employee says of the exposed data.
WIRED reached out to the Ministry of Education and did not obtain a response.