It was announced today that over one million North American students have had their data exposed after a popular online learning platform left it in a publicly accessible cloud database. Researchers claim that the Elasticsearch database belonging to provider OneClass was left completely unsecured. The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details, and school enrollment details.
Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation, and it does not take much effort for outsiders to find unsecured databases and access sensitive information. Personal data is precious, and it is imperative that the proper controls are in place to secure it.
All companies, even those with limited IT resources, must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. Organisations must take the proper cloud security steps, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their databases, maintain compliance with regulations, and protect the sensitive data that they have been entrusted with. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.
The discovery of the unsecured OneClass database comes after several major breaches in the edtech industry, most notably Chegg in late April and Mathway in May this year. Malicious actors have greatly escalated attacks against the education sector, turning unsecured databases into serious threats, particularly as the compromised information makes victims easier targets for phishing schemes. Security controls across the edtech supply chain need to adapt to an expanded attack surface as institutions extend e-learning scope options and are targeted. This also applies to their edtech suppliers, like OneClass, that face similar threats. As edtech companies adapt to the rapid increase in demand for online learning through cloud databases, they must be more vigilant on security posture assessment, on Zero Trust policy adherence, and on data protection obligations to ensure the safety of their users – particularly minors.
The Zero Trust principle dictates that no connectivity is allowed until a user and their device is authenticated. This at least prevents unauthorized users and vulnerable endpoints from accessing resources. Sensitive PII data should always be stored encrypted, so even if attackers gain access to a user’s credentials, the compromised data is useless. SSL VPN technology adds additional security to the data in transit.