Skip to content

Diksha app exposes data of over 16L Indian teachers and students

  • by
  • 3 min read

Personally Identifiable Information of over one million teachers and nearly 600,000 students were exposed by Diksha, a public education app launched by the Indian government in 2017 and made mandatory during the COVID-19 outbreak. The data was found left exposed on an unprotected Azure server used by the app as per a Wired report published on January 23. 

The exposure included the full names, phone numbers and email addresses of teachers and email addresses, phone numbers (both partially obscured), full names, school information, course enrollment, and progress information for students. 

This data comes from just two of the thousands of files on the protected server, as claimed by a UK-based security researcher who found the exposed server in June. The researcher contacted the Diksha support team via their email, alerting them of the exposure, identifying the source and offering more information but received no response. 

The mandatory education app exposed the data of millions of students and teachers alike.

Wired also reached out to the Ministry of Education and received no response. The publication then reached out to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, Diksha’s development foundation. Mogilishetty claims that while EkStep maintains the app itself, the security and data management policies are dictated by the Ministry of Education. The unsecured server was taken offline after Wired shared its links with Mogilishetty. 

While it’s unknown exactly for how long the data was exposed, Google was able to index more than 100 files from the server by October 2018. A simple Google search could’ve accessed all this sensitive information for the last four years. Although Wired did not find evidence of any data accessible via Google search, security researchers and hackers could likely have accessed this information rather easily. 

This isn’t the first instance of Diksha mishandling student information, either. According to a 2022 report by Human Rights Watch, Diksha was able to track the location of students and shared that data with Google. This is a major violation from a child-rights perspective as while the government is fulfilling its duty of providing free education, making Diksha mandatory and not providing an alternative is a privacy violation. 

In the News: Meta partners with NBA to bring over 50 live games to VR

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>