Data of 100,000 Indian Students Leaked Online, Claims Researcher

While Google search engine is used by millions of people everyday, a new research suggests that personal sensitive data of more than 100,000 students is readily available on the search engine.

According to Independent Cyber Security Expert Sourajeet Majumder, Personal Identifiable Information (PII) data of thousands of students could be easily accessed by a simple Google search technique.

Majumder told The Quint, “I was able to retrieve the data of around 100,000+ students within 30 minutes after which I stopped my investigation because the amount of data present on the web is massive”.

Personal Details Available Online

Cyber security researcher Majumder claims to discover data of private schools, college and university students. Here is the list of data found:

• Students’ names
• Parents’ names
• Personal e-mail address
• Aadhaar card number

“In one case besides the name there were 8 pages filled with email and password to login to a portal of an institute which prepares students for JEE,” he added.

Source of Leaked Data

There is no single source from where this data is getting leaked, but it can be traced back to:

• Multiple websites belonging to schools, colleges, and institutes.
• Maximum data from publicly uploaded documents on Scribd – an American e-book and audiobook subscription service – where people like me and you can publish a document as public or private.

Cause of Data Leakage

Internet Researcher Majumder informed that after the pandemic a lot of schools and colleges started functioning online. Many took up methods to store students’ data online in their websites but these applications were probably built as quickly as possible with functionality being its only goal and little or no focus on security.

Why Is This Data Available on Google?

Google is a search engine which indexes everything available on the web until and unless a website asks it not to do so.

Since documents which are uploaded as public on Scribd are supposed to be indexed by search engines, the uploaded documents come up in the search results. (Private docs on Scribd are not allowed to be indexed).

Similarly, websites belonging to these institutions have not set up indexing rules for the documents they have uploaded, and thus Google is including them in its search result by default.

Impact Of Data Breach On Students

Students are an integral part of the society and their personal data should be kept confidential. Making them publicly available is a huge privacy breach, states the researcher.

While the data can be misused in different ways, here are two main repercussions of a breach:

1. Telemarketing companies can use the phone numbers/emails to target the students to promote their goods/services.
2. Spammers/cyber criminals can target students to launch "Phishing" attacks or plan "Social Engineering" attacks on them which can have multiple negative consequences.

What to Do If Your Data Gets Publicly Exposed?

“When leaks include login credentials, the best practice is to change the password and set up 2 Factor Authentication because in most cases people use the same password for all of their social media accounts thus giving an upper hand to cyber criminals to take over account after account,” Majumder told The Quint.

But in cases like this, where PII of students are publicly exposed by multiple sources, there is not much one can do other than being aware about the consequences they might need to face due to the exposed data.

“They need to stay alert from ‘phishing links’ or ‘spam calls’ by telemarketing companies which they might receive,” he added.