Personally identifiable information of millions of teachers and students from India who had signed up for the Indian government’s e-learning app Diksha was allegedly left exposed on an unprotected cloud server, claims a Wired report, published on Monday.
The data found on the unprotected server includes names, phone numbers, and email addresses of over a million teachers and 600,000 students from various schools across India. Some information related to students such as email and phone numbers was “partially obscured”, according to Wired.
The data was first discovered last June by a UK-based security researcher, who didn’t want to be named as they were not allowed to speak to the media without approval from their employers. Wired claims to have verified the data.
The Diksha support team was alerted about the breach by the researcher via email, which didn’t elicit a response from them.
Wired claims that it reached out to the Ministry of Education but didn’t get any response from them either.
The data on the server was taken offline after Wired shared links to the unsecured server with Deepika Mogilishetty, the chief of policy and partnerships at EkStep Foundation, a non-profit founded by Nandan Nilekani, which developed the Diksha app.
Launched in 2017, Diksha is a free e-learning app that provides educational content relevant to Indian school curriculum for students and teachers. According to Diksha.gov.in, it is an initiative by the National Council for Educational Research and Training (NCERT), which falls under the purview of the central government’s Ministry of Education.
The app’s downloads soared past 10 million in 2020 after the Covid-19 outbreak, which forced schools across India to shift to a remote learning model.
Privacy advocates have time and again criticised the data storage and sharing policies of government-run apps including Aarogya Setu and asked for clarity on who has access to user data and for what purpose.
According to a May 2022 report by Human Rights Watch, which evaluated 163 edtech platforms from various countries, 89% of them were found to be engaging in data practices that were putting children at risk. The report claims that Diksha app can track the precise location of students and be sharing it with Google through embedded software development kits (SDK).
According to a December report by NordVPN, nearly 12% of all unique user data found in cybercrime marketplaces in 2022 belonged to Indians. Some of the personal information such as passwords and browsing history on these marketplaces are sold for as low as ₹500.