Edtech Startup Edureka Suffers Server Breach, Data Of 2 Mn Users Exposed

Indian edtech platform Edureka has suffered a significant data breach, one that left names, addresses and phone numbers of more than 2 Mn users unprotected for over a week.  

Cybersecurity experts working with SafetyDetectives, an antivirus review website, first discovered the vulnerability on August 1, and following their protocol, contacted Edureka on August 6 to inform them about the same. Failing to receive a response, the team contacted the Indian Computer Emergency Response Team (CERT-In), India’s nodal authority for cybersecurity, on August 13. Subsequently, the server was secured. 

The SafetyDetectices report mentions that the vulnerability was with Edureka’s US-based Elasticsearch server which was left unsecured, without password protection. The SafetyDetectices security research team, led by Anurag Sen is said to have found 25 gigabytes of data, containing more than 45 Mn breached records of personal data. Since some of the records were duplicated, the number of users affected by the data breach is conservatively estimated to be around 2 Mn, with most of them in India and a handful in other countries such as the US as well.

In its response to Mint, Edureka confirmed that the server breach had occurred, but denied that any personal information of users was compromised. 

The Bengaluru-headquartered Edureka, founded in 2011 by Lovleen Bhatia, is an online learning platform which offers short term as well as degree-level courses in collaboration with educational institutes. The company’s server is hosted by Amazon Web Services.

The SafetyDetectives report on the Edureka server breach mentions that instances, where bytes of personal information are leaked together, can severely impact affected users as it allows malicious hackers to launch more sophisticated attacks targeted at individuals. 

Last month, SafetyDetectives had reported a similar breach of the production server of RailYatri, an Indian government-sanctioned travel marketplace. The breach was said to have left the personal data of 7 lakh users, including names, contact numbers, email addresses and payment cards information exposed. 

India Remains Vulnerable To Cyber Attacks

On September 22, the Ministry of Electronics and Information Technology (MeITY) told the Parliament that Indian citizens, commercial and legal entities faced almost 7 lakh cyberattacks till August this year.

The Indian Computer Emergency Response Team (CERT-In) has “reported 49,455, 50,362, 53,117, 208,456, 394,499 and 696,938 cybersecurity incidents during the year 2015, 2016, 2017, 2018, 2019 and 2020 (till August) respectively,” the MeITY said while responding to an unstarred question in the Lok Sabha regarding cyberattacks on Indian citizens and India-based commercial and legal entities.

According to an Inc42 report from January this year, government data shows that in 2019 alone, India witnessed 3.94 lakh instances of cybersecurity breaches. In terms of hacking of state and central government websites, Indian Computer Emergency Response Team (CERT-In) data shows that a total of 336 websites belonging to central ministries, departments and state governments were hacked between 2017 and 2019. 

According to Nasscom’s Data Security Council of India (DSCI) report 2019, India witnessed the second-highest number of cyberattacks in the world between 2016 and 2018. This comes at a time when digitisation of the Indian economy is predicted to result in a $435 Bn opportunity by 2025.

In a bid to control the growing incidents of cybercrime in the country, the government, in February this year, set up a National Cyber Research, Innovation and Capacity Building Centre in Hyderabad, Telangana. 

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.