At a glance.
- Flaw in Indian education app exposes student and teacher data.
- More on the T-Mobile security incident.
- Cybercriminal arrested for COVID employment benefit fraud.
Flaw in Indian education app exposes student and teacher data.
A cybersecurity researcher has identified a bug in India’s Digital Infrastructure for Knowledge Sharing app (or Diksha), an app that for over a year was leaking private data belonging to millions of Indian students and teachers. Operated by India’s Education Ministry, the app was launched in 2017 and became a primary learning resource during the school closings spurred by the COVID-19 pandemic. A flaw in the cloud server used to store Diksha’s data left the full names, phone numbers, and email addresses of more than 1 million teachers at hundreds of thousands of schools across India exposed to the open internet. Another exposed file revealed 600,000 students’ full names, course details, and partially obscured email addresses and phone numbers. The researcher who detected the leak attempted to alert the Education Ministry but received no response. Wired says it reached out to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, the company that developed Diksha. They also received no response, though the unsecured server was quickly taken offline. It’s worth noting that this isn’t the first time Diksha has been connected to a data leak. In 2022 Hye Jung Han, a researcher at Human Rights Watch, reported that Diksha was tracking student location data and sharing it with Google. Han explained, “What's happening there from a child-rights lens is, you are fulfilling your responsibility to provide free education to every child, but the only type of state education that you're making available is one that inherently violates kids' rights.”
More on the T-Mobile security incident.
As we saw last week, wireless giant T-Mobile suffered a breach that exposed the data of approximately 37 million customer accounts. Several media outlets labeled the incident an “attack” and compared it to several previous incidents where the mobile carrier was targeted by threat actors, one of which resulted in class action lawsuits against the company. However, the Desk clarifies that the breach wasn’t an attack in the conventional definition, but rather the exploitation of an application programming interface (API), which are intentionally left available to developers to access certain parts of the site. Yes, a bad actor abused this API, but some experts say calling the incident a hack or attack is misleading, and changes the conversation. T-Mobile hasn’t disclosed why customer data were available through an API, and although there are a number of above-board explanations – for instance, social-media based authentication for access to customer service, or external sales efforts – identifying the incident as what it was, an API exploitation, is important in determining why it happened and how to prevent it from happening again. Call it a hack if you will, but this is a “hack” in the sense of a life-hack, as in, let me show you how to extend the range of your wireless car key, not a “hack” in the sense of deploying malware.
Cybercriminal arrested for COVID employment benefit fraud.
For cybercriminals, the pandemic is the gift that keeps on giving. The US Attorney for the Central District of California reports that a man residing in Orange County yesterday pled guilty to stealing the identities of two dozen victims in order to fraudulently apply for over $1.2 million in COVID-19 pandemic unemployment insurance benefits. Nhan Hoang Pham obtained the personal identifying information of people living in California, Texas, and Michigan and used it to submit online applications to the California Employment Development Department (EDD), which coordinates the state’s unemployment insurance program, and had the benefits placed on debit cards routed to an address which he controlled. Pham attempted to steal approximately $1,255,350 through the fraudulent applications, of which he received approximately $408,496. Pham will face a statutory maximum sentence of 30 years in federal prison.