Personal and sensitive data belonging to edtech unicorn BYJU’S subsidiary company Whitehat Jr were left exposed due to an unsecured database.
The server which is owned and maintained by customer relationship management (CRM) platform Salesken.ai was left exposed since June 14. Bengaluru-based Salesken.ai provides CRM management tools to Whitehat Jr. Salesken.ai is backed by prominent VCs such as Sequoia India, Unitus Ventures and Michael and Susan Dell Foundation.
Details about the unsecured database were visible on Shodan.com which maintains a database of unsecured servers. Since the Salseken.ai server was left exposed without a password, details such as names and classes taken by students and email addresses and phone numbers of parents and teachers were left exposed in public, according to TechCrunch.
The unsecured server also exposed other personal and sensitive data such as chat logs between parents and WhiteHat Jr. staff, phone numbers of parents, and feedback commentary written by teachers about their students.
The server also stored a record of emails containing sensitive codes that could allow anyone to reset user accounts as well as other internal Salesken.ai data.
The server was, however, taken offline shortly after the publication contacted Salesken.ai on Tuesday (29th June).
“Salesken.ai, one of WhiteHat Jr’s vendor for India operations, has experienced a potential security incident. We are currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies, WhiteHat Jr. spokesperson Sameer Bajaj also said in response to Inc42’s queries.
Anurag Sen, a security researcher who first reported the breach told Inc42 that the Salesken.ai server was left unsecured without any password protection, and was discovered during a routine web mapping project that he was working on.
“Mostly the files were from WhiteHat Jr, including some files from BYJU’s future school. The number of students (impacted) is hard to figure out due to multiple entries but it was more than 100k entries for student and parents details,” added Sen.
“Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight…Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device,” Thilakan told the publication.
BYJU’S is currently the most valued startup in the Indian startup ecosystem at a towering valuation of $16.5 Bn. BYJU’S has acquired Mumbai-based Whitehat Jr. for $300 Mn, which was one of the most celebrated deals in India’s consumer Internet space.
BYJU’S also has a sizable number of users. The company had added 25 Mn new students to its platform between March 2020 to November 2020, growing its user base to 75 Mn students, including 4.2 Mn annual paid subscribers.
WhiteHat Jr., on the other hand, has over 1.5 lakh paid students of which 70% of them are in India with more users from other countries such as the US, Australia and New Zealand.
Inc42 had earlier pointed out that due to a global pandemic sweeping through the world, Indian companies have become more vulnerable to cyberattacks and data breaches and many of the top tech startups have fallen victims.
Recently a slew of data breaches uncovered in India’s startup ecosystem has set alarm bells ringing among regulators and government agencies. Like Mobikwik in March 2021 — around 100 Mn users are said to be affected by the data breach, prompting public outcry and hints of regulatory intervention from the RBI. However, what surprised most observers was the staunch denial of responsibility from the fintech firm.
Given that India lacks a comprehensive data protection act, which has been stuck in limbo for more than three years, Mobikwik and others before it have been able to deny responsibility and skip any legal repercussions. In the last five years alone, more than two dozen consumer tech startups have either directly or indirectly been responsible for exposing personal and non-personal data of billions of customers cumulatively.
Startups in hyperlocal delivery, fintech, edtech, mobility, and content streaming were the worst affected. Big tech firms like Twitter and Facebook have also been impacted on several occasions. Government-run Aadhaar has also been involved in several data leaks in the past.
Corrigendum: (21:44 PM) An earlier version of the story stated that users belonging to edtech major BYJU’s were also affected due to the data breach, however, a spokesperson from WhiteHat Jr informed Inc42 post publishing of the article that the breach affected only users of Whitehat Jr. Salesken.ai supplies CRM tools to WhiteHat Jr. only and not to BYJU’s. The story’s headline and lede have been updated to reflect the changes.