Personally Identifiable Information of over one million teachers and nearly 600,000 students were exposed by Diksha, a public education app launched by the Indian government in 2017 and made mandatory during the COVID-19 outbreak. The data was found left exposed on an unprotected Azure server used by the app as per a Wired report published on January 23.
The exposure included the full names, phone numbers and email addresses of teachers and email addresses, phone numbers (both partially obscured), full names, school information, course enrollment, and progress information for students.
This data comes from just two of the thousands of files on the protected server, as claimed by a UK-based security researcher who found the exposed server in June. The researcher contacted the Diksha support team via their email, alerting them of the exposure, identifying the source and offering more information but received no response.
Wired also reached out to the Ministry of Education and received no response. The publication then reached out to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, Diksha’s development foundation. Mogilishetty claims that while EkStep maintains the app itself, the security and data management policies are dictated by the Ministry of Education. The unsecured server was taken offline after Wired shared its links with Mogilishetty.
While it’s unknown exactly for how long the data was exposed, Google was able to index more than 100 files from the server by October 2018. A simple Google search could’ve accessed all this sensitive information for the last four years. Although Wired did not find evidence of any data accessible via Google search, security researchers and hackers could likely have accessed this information rather easily.
This isn’t the first instance of Diksha mishandling student information, either. According to a 2022 report by Human Rights Watch, Diksha was able to track the location of students and shared that data with Google. This is a major violation from a child-rights perspective as while the government is fulfilling its duty of providing free education, making Diksha mandatory and not providing an alternative is a privacy violation.