The personal information of more than one million students, mostly in North America, who use Canadian learning support services could have been accessed by anyone as a result of an improperly secured online database.
The data breach affected OneClass, an e-learning platform that provides class notes and study guides; a database consisting of 8.9 million records and 27 GB of data was compromised.
The breach was discovered by VPNMentor researchers in May.
"By failing to protect users' data, OneClass created a gold mine for criminal hackers and put the privacy and security of more than a million young people and their families at risk," the VPNMentor report states.
The database, which used the Elasticsearch framework and was hosted on Amazon Web Services, contained personally identifiable information on current students, rejected students, and academics.
The leaked records included full names, email addresses, schools and universities attended, phone numbers, course registration details, and OneClass account details.
Even more alarming is that the leak may have affected minors, with researchers noting that OneClass "contains resources for high school students and accepts users over the age of 13."
Fortunately, the database does not appear to have been accessed by cybercriminals. However, the researchers warn that if it had been accessed, anyone with access to the data could "pursue a wide range of illegal activities," including launching phishing campaigns.
"Because OneClass has paid subscription plans for premium content and resources, hackers could use this to coerce someone into providing financial information," the VPNMentor report warned.
"Furthermore, OneClass users are very young, including minors, and are generally unaware of most online criminal schemes and scams. Therefore, they are particularly vulnerable to being targeted. In addition, many of them are likely to have registered using their parents' credit cards, putting the entire family at risk.
The researchers informed OneClass of the breach.
"In response, OneClass immediately secured the database, but insisted that it was a test server and that the data stored within had nothing to do with actual individuals," the researcher said.
"During our investigation, however, we used publicly available information to validate a small sample of records in the database. We retrieved PII data from a number of records and found social profiles of instructors and other users on various platforms that matched the records in the OneClass database.
According to VPNMentor, OneClass could have avoided this information breach by "securing its servers, implementing appropriate access rules, and not leaving systems open to the Internet that do not require authentication."
It urges customers who are concerned about this leak to "contact the company directly to find out what steps they are taking to protect their data."
Comments