Education nonprofit Edraak ignored a student data leak for two months

Edraak, an online education nonprofit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.
The nonprofit, founded by Jordans Queen Rania and headquartered in the kingdoms capital, was set up in 2013 to promote education across the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford and MIT.
In February, researchers at U.K. cybersecurity firm TurgenSec found one of Edraaks cloud storage servers containing at least tens of thousands of students data, including spreadsheets with students names, email addresses, gender, birth year, country of nationality and some class grades.
TurgenSec, which runs Breaches.UK, a site for disclosing security incidents, alerted Edraak to the security lapse. A week later, their email was acknowledged by the organization but the data continued to spill. Emails seen by TechCrunch show the researchers tried to alert others who worked at the organization via LinkedIn requests, and its partners, including the British Council.
Two months passed and the server remained open. At its request, TechCrunch contacted Edraak, which closed the servers a few hours later.
In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files, but that student data is never intentionally placed in this bucket.
Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket, Halawa confirmed.
Unfortunately our initial scan did not locate the misplaced data that made it there accidentally. We attributed the elements in the Breaches.UK email to regular student uploads. We have now located these misplaced reports today and addressed the issue, Halawa said.

How to respond to a data breach
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2021    »