At a glance.
- Flaw in Indian education app exposes student and teacher data
- More about the T-Mobile security incident.
- Cyber criminal arrested for COVID employment benefits fraud.
Flaw in Indian education app exposes student and teacher data
A cybersecurity researcher has discovered a bug in India’s Digital Infrastructure for Knowledge Sharing (or Diksha) app, which has been leaking private data from millions of Indian students and teachers for more than a year. Operated by the Indian Ministry of Education, the app was launched in 2017 and became a primary learning resource during the school closures due to the COVID-19 pandemic. A flaw in the cloud server used to store Diksha’s data exposed the full names, phone numbers and email addresses of more than 1 million teachers in hundreds of thousands of schools across India to the open internet. Another exposed file revealed the full names of 600,000 students, course details, and partially hidden email addresses and phone numbers. The researcher who discovered the leak tried to alert the Ministry of Education, but received no response. Wired says it has reached out to Deepika Mogilishetty, the head of policy and partnerships at EkStep, the company that developed Diksha. They also received no response, although the unsecured server was quickly taken offline. It is worth noting that this is not the first time Diksha has been linked to a data breach. In 2022, Hye Jung Han, a researcher at Human Rights Watch, reported that Diksha was tracking students’ location data and sharing it with Google. Han explained, “What happens there from a children’s rights lens is that you fulfill your responsibility to provide every child with a free education, but the only type of state education that you make available is one that inherently violates children’s rights. ”
More about the T-Mobile security incident.
As we saw last week, wireless giant T-Mobile suffered a breach that exposed the data of approximately 37 million customer accounts. Several media outlets labeled the incident an “attack” and compared it to several previous incidents where the mobile carrier was targeted by threat actors, one of which resulted in class action lawsuits against the company. However, the Desk clarifies that the breach was not an attack in the conventional definition, but rather the exploitation of an application programming interface (API), which was intentionally made available to developers to access certain areas of the site. Yes, an adversary has exploited this API, but some experts say the incident is a hack or attack, is deceptive, and changes the conversation. T-Mobile has not disclosed why customer data was available through an API, and while there are some clear explanations – for example, social media-based authentication for accessing customer service or third-party sales efforts – to identify the incident as it was, an API exploit , is important to determine why it happened and how to prevent it from happening again. Call it a hack if you will, but this is a “hack” in the sense of a life hack, as in let me show you how to extend the range of your wireless car key, not a “hack” in the sense of deploying malware.
Cyber criminal arrested for COVID employment benefits fraud.
For cybercriminals, the pandemic is the gift they keep giving. The U.S. Attorney for the Central District of California reports that a man who lived in Orange County yesterday pleaded guilty to stealing the identities of two dozen victims to fraudulently claim more than $1.2 million in COVID-19 pandemic unemployment benefits. to ask. Nhan Hoang Pham obtained the personally identifiable information of people living in California, Texas, and Michigan and used it to submit online applications to the California Employment Development Department (EDD), which coordinates the state’s unemployment insurance program, and had benefits paid put debit cards routed to an address he controlled. Pham attempted to steal approximately $1,255,350 through the fraudulent applications, of which he received approximately $408,496. Pham receives a maximum legal sentence of 30 years in federal prison.