Sloppy security leads to data exposure of 50,000 students: report
Updated: Jun 15, 2022
vpnMentor discovers major data breach in online document verification platform Myeasydocs, says could have been avoided
A massive data breach in the online document verification platform Myeasydocs has exposed the information of some 50,000 students. This breach was discovered by the vpnMentor research team in February 2022, but detailed were only published now.
Myeasydocs is headquartered in Chennai, India, and caters to clients across India and in Israel who are interested in submitting documents for verification to banks, universities, law enforcement agencies and other institutions. Its data is hosted on the Microsoft Azure cloud.
According to the researchers, led by Noam Rotem, the breach “was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.”
As a result, a variety of personal data was exposed, such as the students’ full names, IDs, courses of study, grades, graduation dates, emails and phone numbers. vpoMentor notes in its report that potential effects of this are phishing, fraud and identity theft.
The researchers criticize the company, noting that it “failed to implement any security measures on the account’s servers, leaving the contents totally exposed and easily accessible to anyone with a web browser.”
“Myeasydocs could have easily avoided exposing its customer’ data if it had taken some basic security measures,” note the researchers, and go on to mention said measures: securing servers and data stores, implementing proper access rules, and never leaving a system that doesn’t require authentication open to the internet.
vpnMentor discovered the breach on February 2nd “as part of a huge web mapping project undertaken to make the internet safer for all users,” says the report, adding that this is done by searching for unsecured data storers “ exposing private information and examine each data store for any data being leaked.” Israel’s CERT was contacted the day following the breach. Vendors were contacted on February 8th.