This story was first covered by Wired.
A security lapse in a mandatory app operated by India’s Education Ministry has exposed the personal information of millions of students and teachers for over a year. The Digital Infrastructure for Knowledge Sharing (Diksha) app, launched in 2017, became a primary tool for students to access materials and coursework from home during the Covid-19 pandemic. However, a cloud server storing Diksha’s data was left unprotected, making the data vulnerable to hackers, scammers, and anyone who knew where to look.
The files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers who worked for hundreds of thousands of schools in every state in India. Another file contained information about nearly 600,000 students, including their full names, information about their schools, and coursework data. A UK-based security researcher discovered the exposure in June and contacted Diksha’s support email to alert them to the data breach, but received no response.
According to the researcher, there were thousands of files like this on the server. They said, “There’s zero chance that it hasn’t been accessed and downloaded by a bunch of other people.” WIRED reached out to the Ministry of Education but did not receive a response.
Diksha was developed by EkStep, a foundation co-founded by Nandan Nilekani, who helped develop India’s national identification system, Aadhar. EkStep’s Chief of Policy and Partnerships, Deepika Mogilishetty, stated that while the foundation had been supporting Diksha for many years, India’s Ministry of Education ultimately implements the security and policies for how data is managed on Diksha. After WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline.
This is not the first time Diksha has potentially mishandled sensitive information. A 2022 report from Human Rights Watch found that Diksha not only tracked the location of students, but also shared data with Google. In many cases, the Indian government mandated that teachers and students use Diksha, and provided no alternative methods for those who may not have wanted to use the app.
The unsecured storage server was hosted on Azure, Microsoft’s cloud storage service. It’s unknown how long the data was left unprotected, but Google indexed more than 100 files from this server as early as October 2018. In other words, the sensitive student and teacher data was likely findable through a simple Google search for at least four years.
The Education Ministry’s negligence in securing the data of millions of students and teachers is a severe violation of privacy and trust. The government must take immediate action to address the data breach and ensure that the data of its citizens is protected in the future. This incident also highlights the importance of providing alternative methods for students and teachers who may not want to use a mandatory app, and the need for transparency and accountability when handling sensitive information.