A devastating data breach has been uncovered in India’s public education system, exposing the personal information of millions of students and teachers for over a year. The Digital Infrastructure for Knowledge Sharing app, or Diksha, was launched in 2017 as a mandatory tool for students to access materials and coursework from home, particularly during the Covid-19 pandemic. However, a cloud server storing Diksha’s data was left unprotected, making it vulnerable to hacking and scamming by anyone who knew where to look.
According to data verified by WIRED, files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers. These teachers worked for hundreds of thousands of schools located in every state in India. Another file contained information about nearly 600,000 students, including their full names and information about their school and coursework. A UK-based security researcher who identified the exposure reported that there were thousands of files like this on the server.
The researcher initially discovered the exposure in June and contacted the Diksha support email, alerting them to the data breach and offering to share more information. However, they received no response.
The researcher stated, “There’s zero chance that it hasn’t been accessed and downloaded by a bunch of other people.”
WIRED also reached out to the Ministry of Education but did not receive a response.
Diksha was developed by EkStep, a foundation co-founded by Nandan Nilekani, who helped develop India’s national identification system, Aadhar. Deepika Mogilishetty, the chief of policy and partnerships at EkStep, stated that while the foundation had been supporting Diksha for many years, India’s Ministry of Education ultimately implements the security and policies for how data is managed on Diksha. However, after WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline.
This is not the first time Diksha has potentially mishandled sensitive information. A 2022 report from Human Rights Watch found that Diksha not only tracked the location of students but also shared data with Google. In many cases, the Indian government mandated that teachers and students use Diksha, and Hye Jung Han, a researcher at Human Rights Watch who authored the 2022 report, says that the government provided no alternative methods for those who may not have wanted to use the app.
Han stated, “What’s happening there from a child-rights lens is, you are fulfilling your responsibility to provide free education to every child, but the only type of state education that you’re making available is one that inherently violates kids’ rights.”
The unsecured storage server was hosted on Azure, Microsoft’s cloud storage service. It’s unknown how long the data was left unprotected, but Google indexed more than 100 files from this server as early as October 2018. This means that information stored on this vulnerable server was likely findable through a simple Google search for at least four years. While WIRED could not find instances of sensitive student and teacher data through a Google search, files with sensitive data were available for download through Grayhat Warfare, a searchable database of unsecured servers popular with security researchers and hackers.
The data breach in India’s public education system is a shocking revelation that highlights the need for better data protection and security measures. The personal information of millions of students and teachers has been exposed for over a year, and it’s unknown how many individuals’ data has been accessed and downloaded by hackers and scammers.