Expert Comments

Expert Commentary: Unsecured OneClass Database Exposes 1M Students

Expert(s): Security Experts
Expert(s): Security Experts

It was announced today that over one million North American students have had their data exposed after a popular online learning platform left it in a publicly accessible cloud database. Researchers claim that the Elasticsearch database belonging to provider OneClass was left completely unsecured. The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details, and school enrollment details.

Experts Comments

June 30, 2020
Rene Paap
Senior Product Marketing Manager
Pulse Secure
The discovery of the unsecured OneClass database comes after several major breaches in the edtech industry, most notably Chegg in late April and Mathway in May this year. Malicious actors have greatly escalated attacks against the education sector, turning unsecured databases into serious threats, particularly as the compromised information makes victims easier targets for phishing schemes. Security controls across the edtech supply chain need to adapt to an expanded attack surface as.....Read More
The discovery of the unsecured OneClass database comes after several major breaches in the edtech industry, most notably Chegg in late April and Mathway in May this year. Malicious actors have greatly escalated attacks against the education sector, turning unsecured databases into serious threats, particularly as the compromised information makes victims easier targets for phishing schemes. Security controls across the edtech supply chain need to adapt to an expanded attack surface as institutions extend e-learning scope options and are targeted. This also applies to their edtech suppliers, like OneClass, that face similar threats. As edtech companies adapt to the rapid increase in demand for online learning through cloud databases, they must be more vigilant on security posture assessment, on Zero Trust policy adherence, and on data protection obligations to ensure the safety of their users - particularly minors. The Zero Trust principle dictates that no connectivity is allowed until a user and their device is authenticated. This at least prevents unauthorized users and vulnerable endpoints from accessing resources. Sensitive PII data should always be stored encrypted, so even if attackers gain access to a user’s credentials, the compromised data is useless. SSL VPN technology adds additional security to the data in transit.  Read Less
June 30, 2020
Anurag Kahol
CTO
Bitglass
Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation, and it does not take much effort for outsiders to find unsecured databases and access sensitive information. Personal data is precious, and it is imperative that the proper controls are in place to secure it. All companies, even those with limited IT resources, must take full responsibility for securing user data – there is no excuse for negligent.....Read More
Leaving a database vulnerable can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation, and it does not take much effort for outsiders to find unsecured databases and access sensitive information. Personal data is precious, and it is imperative that the proper controls are in place to secure it. All companies, even those with limited IT resources, must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. Organisations must take the proper cloud security steps, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their databases, maintain compliance with regulations, and protect the sensitive data that they have been entrusted with. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.
SUBMIT

You may also like

IKEA Suffering Ongoing “Reply-Chain” Email Attack

Cybersecurity Expert Reaction On UK’s Financial Regulator Scraps 90-day Authentication...

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

Panasonic Becomes Latest Victim Of Data Breach – Security Expert...

Clearview’s £17 Million Fine For Processing 10+ Billion Images Is...

Booz Allen Report On CISOs And China Quantum Computing Risks,...

Experts Reactions On Sky Broadband Hack Warning

Ransomware Set To Break Records This Black Friday 2021

Security Expert On Apple Suing NSO Group

Meta Delays Plans To Rollout End-to-end Encryption

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts