April 27, 2018: Security researcher Srinivas Kodali has reported another leak of Aadhaar numbers, this time, of school going children, along with details of their school, class, medium (language) and date of birth.
Security researcher Srinivas Kodali has reported several leaks of data in the past. Notably the leak of over 130 million Aadhaar linked details last year and the leaks of surveillance enabling data and data of MNREGA workers this week. This isn’t the first time that government websites have leaked data of citizens. Srinivas Kodali has also reported a leak of 500,000 to 600,000 Aadhaar details of children by a Telangana Government website last year. The government has repeatedly denied leaks and breaches of Aadhaar data, including in replies to direct questions in the Parliament: As on date, no incident of data breach has been reported from Central Identities Data Repository (CIDR) of Unique Identification Authority of India (UIDAI). MediaNama’s take Children in India are legally not able to consent, and making the providing of Aadhaar mandatory in schools forces enrollment with the “consent” of the guardian. However, in reality the parent or guardian has no choice but to get the Aadhaar made, so the consent is illusory. This had been a point of argument by petitioners in the constitutional challenge to Aadhaar being heard by a 5 judge bench in the Supreme Court of India. Leaks of information of this sort further compromise the privacy of children and can make them vulnerable to criminals who can use such information.
Around 69,83,048 children's #Aadhaar data is leaking online. Who is responsible to protect their privacy, Govt, parents, teachers or SC? The first leak I reported in Feb, 2017 was children's data. The UIDAI has never acknowledged this and continues to say, there is no problem. pic.twitter.com/VXDl2B3ru3
— Srinivas Kodali (@digitaldutta) April 27, 2018
April 29, 2018: Andhra Pradesh government shuts down 3 sites for data leak
So far, AP government websites have leaked data concerning nearly two crore Aadhaar card holders out of a state population of five crore.
The Andhra Pradesh government finally pulled its act together and shut down pages of three websites leaking sensitive private information of several lakh Aadhaar cardholders, including that of 69.83 lakh students.
The move comes after repeated complaints over five days to the Unique Identification Authority of India (UIDAI) and the Computer Emergency Response Team (CERT).
So far, the AP government websites have leaked data concerning nearly two crore Aadhaar card holders out of a state population of five crore.
The Commissionerate of School Education (AP) website had collected information of 69,83,048 students across the state to primarily identify the percentage of school dropouts.
Related Article:
However, the government website leaked names, addresses and Aadhaar details of those students. Second, the AP State Housing Corporation website was found to be displaying Aadhaar numbers, bank branches, IFSC codes, account numbers, father’s names, addresses, gram panchayat, mobile numbers, ration card numbers, occupation, religion and caste of housing scheme beneficiaries. And third, the Wages & Social Security Pensions (MGNREGA) Benefit Disbursement Portal (AP) put on public display the identity of benefit recipients.
The data leak was identified by independent security researcher Srinivas Kodali, who filed multiple complaints with various state and Central security agencies, and told Deccan Chronicle that AP has no centralised agency to report data breaches, except for a cyber-security website.
“Even the UIDAI does not have a central platform to accept complaints. However, when the issue was raised to multiple agencies including CERT and the National Physical Information Protection Centre, the pages were removed from the websites,” he said.
Apr 7, 2023: Parents of schoolchildren in Bengaluru raise concern over likely data breach
Rahul R (name changed), father of a class 10 student, finds his phone spammed with messages and calls from coaching institutes and PU colleges these days, asking him if he needs information on admissions and leaving him clueless on how the callers got his phone number. He was all the more perplexed because he had neither visited any of those websites nor looked up the Internet for information on them.
Rahul is not alone. Hundreds of parents in the city are being spammed with similar messages and calls, raising concern over a possible data leak. TOI had reported earlier this week that the state education department was insisting on students sharing their Aadhaar card numbers.
Mohammed Shakeel, the president of Voice of Parents and himself the parent of a class 10 student, said that schools share data with different vendors, resulting in a spike in such calls. “Private data of minors and their parents, provided to schools, is shared by most schools with third-party service providers or vendors. This results in data breach and may even compromise the security of schoolchildren,” Shakeel said.
“Suitable measures must be taken to protect data provided to schools. It must be stored in the systems/servers of the school and must not be outsourced or shared with third-party service providers. Any contract with such parties must be revoked with immediate effect to ensure the safety of children,” he added.
However, D Shashi Kumar, general secretary of the Association of Managements of Primary and Secondary Schools of Karnataka, alleged that it is not the schools but officials at the department of education who are the more likely source behind the leak. “It is a common practice that officials send Google spreadsheets on WhatsApp groups and ask schools to fill in the data of students or teachers. We have now warned all our members not to share any data unless officially sought,” he said.
CLICK HERE The department of school education, though, has denied the charge. “These are unsubstantiated allegations. What proof do school associations have about education department officials leaking data? If at all the associations can prove any [department] official’s involvement, we are ready to take action,” said Vishal R, the commissioner, department of school education. However, experts say the issue is old and the leak can happen in many ways, with data sets being available online. “There are various government systems that collect children’s data — scholarship programmes, exam results, admission to government institutions like Kendriya Vidyalaya. These are known issues. The problem is that data is not protected the way it should be,” said Anivar Aravind, a digital rights activist. Ruing that no steps are being taken by the government or education department to ensure data privacy, Aravind said even as a data protection Bill is around the corner in Parliament, there is no clarity yet on data consent. “And parents are at a non-negotiable end as they have to share these details to be able to access the services,” said Aravind. This is not the first time children’s privacy has been put at risk. Previously, Ukhrul Times, Nagaland Express, and India Times broke the news of a pan-India personal data breach of Class X and Class XII students in which their names, father’s names, physical addresses, institution names, and even contact details including phone numbers and email addresses were found in various databases which were being sold on the internet, including on Amazon. Pursuant to this, we wrote to twenty-eight State Commissions for the Protection of Child Rights and four Union Territory Commissions for the Protection of Child Rights to raise our grievances. We urged the Commissions to initiate an inquiry on the infringing websites and the e-commerce platform (Amazon) and to also forward the case to the Magistrate having the jurisdiction to hear the complaint. The Commissions were also advised to frame and implement remedial measures and guidelines to prevent the leakage of students’ personal data henceforth. Confidential data of students could be at risk as a website claiming to sell 2 crore students data for just Rs 299. Off late, we’ve been seeing confidential data of users being sold on the dark web by hackers like the ones with Mobikwik, Domino’s and others. However, now someone is claiming to sell user data of crores of Indian students. The data is being sold on the website ‘studentdatabase.in’ that gives you an option to either purchase a database of two crore students or purchase a 100 crore pan-India database — each for Rs 399. However, when we tried to click on either of the links, the site showed a 404 error. Hey @amazon @amazonIN It is illegal to be sell user data. How is someone using your site to sell student data? @AmazonHelp So many listings like this Sai Sravan Prabhala, a cyber-security researcher, informed us of a critical vulnerability exposing the sensitive personal information of minors. This existed on the website of the Directorate of Government Examinations, Government of Andhra Pradesh’s for the 2021 examinations. While this functionality itself has been removed, to prevent it from occurring again assisted by Sai, we have written to them and CERT-In. The Indian startup exposed some students’ names, phone numbers, addresses and email IDs. The exposed data also included loan details such as payouts, links to scanned documents and transactional information related to some students. Security researcher Bob Diachenko found the exposure due to a misconfigured Apache Kafka server used by Byju’s to send and receive data in real time. Diachenko told TechCrunch that there were several IP addresses with the misconfigured server, which enabled anyone to access the queue to read the records without a password. “Anyone could have connected to the queue and read or download the messages,” the researcher told TechCrunch. The data was first found to be exposed on August 15, according to Shodan, a search engine for exposed devices and databases. While the exact number of students whose data was exposed is unclear, Diachenko said one to two million records were accessible due to the issue. Read more : ( https://techcrunch.com/2023/08/25/byjus-student-data-exposed/ ) Additional Information: Legal Consequences of the Vulnerability This vulnerability violates the students’ fundamental right to privacy, as upheld by the Supreme Court in K.S. Puttaswamy v. Union of India (2019) 1 SCC 1. Significantly, the decision highlighted the need to secure children’s right to privacy, bearing in mind that minors lack the legal capacity to give consent. Additionally, the Government of India has ratified the United Nations Convention on the Rights of the Child (UNCRC). As a result, India endeavours to protect children from all forms of exploitation and arbitrary or unlawful interference with their privacy. Hence, if necessary measures are not taken to protect the personal information of children, it would stand in violation of the Puttaswamy decision, and the UNCRC. ( http://164.100.86.208/NCPCR.pdf?ref=static.internetfreedom.in#page=9 ) The information exposed by the above-mentioned vulnerability – such as “caste or tribe” and ”religious affiliation” – has been categorised as “sensitive personal data” under the proposed Personal Data Protection Bill, 2019 (“2019 bill”) as well as the Draft Data Protection bill 2021 (“2021 bill”), for which the Data Protection Authority is empowered to specify additional regulations, safeguards or restrictions. Clause 24 of the bill requires data fiduciaries to implement necessary security safeguards including “steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. Neglecting to do so can result in a penalty not exceeding five crore rupees or two percent of the fiduciaries worldwide turnover of the preceding financial year, whichever is higher. Further, the vulnerability causes significant “harm” – as defined under Clause 3(23) of the Draft Data Protection bill, 2021 – to those affected as anyone can edit their personal details which can lead to “loss, distortion or theft of identity”, “humiliation”, and “observation or surveillance that is not reasonably expected”. Currently, in the absence of an overarching data protection legislation, according to Section 72A of the Act, the websites, school managements, and individuals involved in the mass student data breach can be imprisoned for a term of up to three years or/and can be fined up to five lakh rupees. Source: TOI, TC, India Times, Medianama, Deccan Chronicle, Also Read: Children’s Right to Privacy hangs in the balance
About 2 Crore Indian Students’ Data Selling Online For ₹299
Bihar Students Database (Class X, CBSE, 2019-2020) – Downloadable Google Drive Link (Excel Format) https://t.co/Vkfkpcw7cp pic.twitter.com/MqpConITldStudent data exposed on Andhra Pradesh Government Examination website!
Byju’s exposed sensitive student data, including loan details