In yet another incident that points to Indian companies not taking privacy seriously enough, Gurugram-based online school management platform Skolaro has exposed data belonging to over 50K students studying in around 100 Indian schools, their parents as well as teachers, after storing its database in unsecured servers.
The database was first discovered by a UK-based cybersecurity researcher Roni Suchowski, who said it also has over 130K user ID and passwords which are lying unprotected on the database. Each of these user names belongs to a current or former user of Skolaro’s platform, and Suchowski said that anyone with basic knowledge of web development can easily take a look at the database.
Inc42 can confirm that the database contains usernames, passwords, age, blood group, religion, address, admission number, school name, date of birth, grades, profile image among other details. It also contains the medical history of some students, making it ripe for identity theft and other acts of crime.
“Hundreds of photographs of a single student are available on the database. I checked randomly and saw almost every day a picture of a kid indulged in some activity at some kindergarten,” said Suchowski. Moreover, personal details of teachers at Skolaro-partnered schools, including their salaries, were also exposed.
The researcher told us he was alerted to Skolaro’s unsecured server by a cybersecurity service that scans the internet to pinpoint threats or vulnerable spots in networks and servers. He also explained that some databases are left without a password during migrations.
Government Officials Data Exposed
Inc42 independently verified the unsecured database through cybersecurity expert Rajshehkar Rajaharia. Rajaharia said that the size of the database is approximately 1.3 GB. Besides students, personal data related to parents and teachers registered on Skolaro was also available on the database.
DataLabs, Inc42’s research division was also able to successfully download data belonging to all users on the server. We were easily able to find information such as names, user IDs, passwords, email IDs, phone numbers, professions, annual incomes, educational qualifications, among other details. Additionally, documents such as voter IDs, Aadhaar cards, passports, birth certificate, and residence proof were also left unprotected on the database. DataLabs had downloaded the data only for the confirmation of the database.
The leaked data includes details of former government officials, including those who have worked in some of the highest offices in the central government till as late as last year. For the sake of responsible reporting, Inc42 cannot name these officials.
Suchowski said that besides details of Indians, there were around 90 scanned copies of passports also available on the database which belong to UK residents. Overall, the database contains over 1300 passport scans.
It must be noted that there’s no evidence that this data has been obtained by third-parties at this time.
Suchowski and Inc42 contacted Skolaro independently to report the potential for data leak from its platform. Shailendra Singh Naruka, a software developer at Skolaro, had assured Suchowski in an email on March 9 that the unsecured servers would be brought to the notice of the top management. However, no action has been taken till now.
Skolaro told us it would be securing the database but it has not taken any steps even three days after being notified of the breach. The inaction brings into question how seriously the company takes its responsibility towards users who have paid money and have been assured that their data and that of their vulnerable children is stored safely.
Can Edtech Platforms Keep Data Safe As Coronavirus Boosts Adoption?
What’s worrying is that with quarantine around the world in response to the coronavirus pandemic, many schools have opted to use online learning management systems or are providing lessons through video conferencing tools. In fact, Skolaro and other similar offerings is seeing more traction during this crisis, as per reports.
Rakhi Mukherjee, principal of Mumbai-based Utpal Shanghvi Global School, told TOI this week that the school is using Skolaro to send homework to its students. “Students are expected to stay home, await lots of work coming their way through Skolaro, our online school information management software, so that they can carry on working from home and prepare for the forthcoming exams,” she was quoted as saying.
However, the fact that Skolaro is saving data on these homework assignments and the students on unsecured servers accessible on the internet. Schools are also relying on other edtech platforms to connect with their students amid coronavirus outbreak, and many of them are temporarily offering services and products free of charge.
With the schools being shut down, one can expect the volume of data related to student progress, lessons and other information to increase substantially during the next few months in many parts of India amid the coronavirus pandemic. It remains to be seen how many of these platforms treat this sensitive data with the respect and security that it deserves.
The number of data breaches has ramped up in the past few years in India. According to the latest Data Security Council of India (DSCI) report, India has been identified as the second most cyberattacks affected country between 2016 to 2018.
Under US law, for example, Skolaro would have had to pay a massive penalty for each instance of violation and given the amount of data that’s been left exposed for every user, the company might have even faced a seven-figure fine or higher, under the Child Online Privacy Protection Act (COPPA). In the past, Google and YouTube have been penalised by US law enforcement agencies for not complying with COPPA, but such a law has only been discussed in India. At the moment, data protection laws do not cover instances of data of minors being stored in an unsecured manner.
In fact, with no such law, platforms that store data in an unsecured manner might not even be penalised by the government, it is left to the very users, whose data was exposed, to take any legal action against such leaks.