One Million Online Student Records Exposed by E-Learning Sites

Written by

Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.

The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.

The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.

WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.

“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.

“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”

The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.

South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.

Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.

WizCase urged users who may have had their data exposed in this way to regularly check for unusual activity on their accounts, to be extra cautious when receiving unsolicited emails and never to give out PII over the phone.

These incidents are widespread across virtually all industries, although the online learning sector has been booming of late thanks to COVID-related school closures across much of the world.

Earlier this month, WizCase revealed five dating apps in the US and Asia that had exposed millions of customer records through misconfigured Elasticsearch servers, MongoDB databases and AWS buckets.

What’s hot on Infosecurity Magazine?