A security hole in an app operated by the Indian Ministry of Education has been declassifying the personally identifiable information of millions of students and teachers for over a year.
The data was stored by the Digital Knowledge Sharing Infrastructure app, or Diksha, a public education app launched in 2017. At the height of the Covid-19 pandemic, when the government was forced to close schools across the country, Diksha became an elementary school tool for students to access materials and courses at home.
But a cloud server that stored Diksha’s data was left unprotected, exposing the data of millions of individuals to hackers, scammers and pretty much anyone who knew where to look.
Files stored on the unsecured server contained the full names, phone numbers and email addresses of more than 1 million teachers. According to data in the files verified by WIRED, the teachers worked for hundreds of thousands of schools in every state in India. Another file contained information on nearly 600,000 students. While the students’ email addresses and phone numbers were partially hidden, the data included the students’ full names and information about where they went to school, when they enrolled in a course through the app, and how much of the course they completed .
According to a UK-based security researcher who identified the exposure, there were thousands of files like this on the server. (The investigator asked not to be named because they were not authorized to speak to the media.)
After first discovering the exposure in June, the researcher contacted Diksha support email, alerted them to the data breach, identified the source and offered to share more information. They got no response. “There’s no chance it wasn’t opened and downloaded by a bunch of other people,” the employee says of the exposed data.
WIRED contacted the Department of Education and received no response.
Diksha was developed by EkStep, a foundation co-founded by Nandan Nilekani, who helped develop Aadhar, the country’s national identification system. According to Deepika Mogilishetty, head of policy and partnerships at EkStep, while the foundation has supported Diksha for many years, the Indian Ministry of Education is finally implementing security and data management policies on Diksha. However, after WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline.
This is not the first time that Diksha may have misused sensitive information. A Report 2022 of Human Rights Watch discovered that Diksha could not do it alone track the location of students, but also shared data with Google. In many cases, the Indian government has mandated teachers and students to use Diksha, and Hye Jung Han, a researcher at Human Rights Watch who wrote the 2022 report, says the government has not provided alternative methods for those using Diksha might not have wanted to use. app.
“What’s happening there from a child’s rights lens is you’re fulfilling your responsibility to provide every child with a free education, but the only type of state education you’re making available is one that inherently violates children’s rights,” says Han.