A misconfiguration in one of Leverage EDU’s cloud storages caused a data leak including almost 240,000 sensitive files, including students’ passports, financial documents, certificates and exam results.
The leaked data contains personally identifiable information, which can easily be used to create targeted spear-phishing attacks as well as to commit identity theft and fraud.
The exposure was detected by the Cybernews research team on January 31 in the form of a misconfigured and publicly accessible Amazon S3 bucket.
The bucket contained zip folders including sensitive data and PII of multiple students including degree certificates, report cards, exam results, CVs, filled application forms to various universities, phone numbers, emails and physical addresses. Leaked financial information from the bucket included bank statements, student loan documents, loan co-signers identification documents and payslips.
Cybernews reached out to Leverage EDU with the issue. Upon notification, the company secured access and confirmed that the problem was solved and that it’d be running an internal investigation of its systems.
With that large a database, a leak of this magnitude and containing this amount of sensitive data can be disastrous for both the company and the victims involved. At the moment, there are no reports of this data being abused by threat actors, but mitigation actions like invalidating documents are recommended.
Leverage EDU is a major higher education platform for students looking to study abroad and has a flurry of branches throughout India with offices in the UK and Australia. The company claims a network of over 650 educational institutions worldwide and 80 million users in 2022.
Leverage EDU was also relatively unaffected by the pandemic, securing $22 million in funding from international investors and quadrupling its workforce.
In the News: Google will start deleting inactive accounts this December