Article 5GBB4 Education nonprofit Edraak ignored a student data leak for two months

Education nonprofit Edraak ignored a student data leak for two months

by
Zack Whittaker
from Crunch Hype on (#5GBB4)

Edraak, an online education nonprofit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.

The nonprofit, founded by Jordan's Queen Rania and headquartered in the kingdom's capital, was set up in 2013 to promote education across the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford and MIT.

In February, researchers at U.K. cybersecurity firm TurgenSec found one of Edraak's cloud storage servers containing at least tens of thousands of students' data, including spreadsheets with students' names, email addresses, gender, birth year, country of nationality and some class grades.

TurgenSec, which runs Breaches.UK, a site for disclosing security incidents, alerted Edraak to the security lapse. A week later, their email was acknowledged by the organization but the data continued to spill. Emails seen by TechCrunch show the researchers tried to alert others who worked at the organization via LinkedIn requests, and its partners, including the British Council.

Two months passed and the server remained open. At its request, TechCrunch contacted Edraak, which closed the servers a few hours later.

In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files," but that student data is never intentionally placed in this bucket."

Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket," Halawa confirmed.

Unfortunately our initial scan did not locate the misplaced data that made it there accidentally. We attributed the elements in the Breaches.UK email to regular student uploads. We have now located these misplaced reports today and addressed the issue," Halawa said.

How to respond to a data breach

The server is now closed off to public access.

It's not clear why Edraak ignored the researchers' initial email, which disclosed the location of the unprotected server, or why the organization's response was not to ask for more details. When reached, British Council spokesperson Catherine Bowden said the organization received an email from TurgenSec but mistook it for a phishing email.

Edraak's CEO Halawa said that the organization had already begun notifying affected students about the incident, and put out a blog post on Thursday.

Last year, TurgenSec found an unencrypted customer database belonging to U.K. internet provider Virgin Media that was left online by mistake, containing records linking some customers to adult and explicit websites.

More from TechCrunch:

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=B6S0Sq8XRcs:YUbscy9zyRg:-BT Techcrunch?i=B6S0Sq8XRcs:YUbscy9zyRg:D7D Techcrunch?d=qj6IDK7rITsB6S0Sq8XRcs
External Content
Source RSS or Atom Feed
Feed Location http://feeds.feedburner.com/TechCrunch/
Feed Title Crunch Hype
Feed Link https://techncruncher.blogspot.com/
Reply 0 comments