Byju’s, the edtech giant and India’s most valuable startup, has been in the news recently for a security lapse that exposed the sensitive data of its students. The data included personal details, loan information, and chat logs of students and parents who use Byju’s online learning platforms.
What happened?
According to security researcher Bob Diachenko, who discovered the issue, Byju’s had a misconfigured Apache Kafka server that was used to send and receive data in real time. The server was left unprotected since at least August 14, 2021, allowing anyone to access the data inside without a password.
The exposed data contained records of some students’ names, phone numbers, addresses, and email IDs. It also included loan details such as payouts, links to scanned documents, and transactional information related to some students. Additionally, the server stored chat logs between parents and WhiteHat Jr. staff, as well as comments recorded by teachers about their students. WhiteHat Jr. is an online coding school for students in India and the U.S., which Byju’s acquired in 2020.
Diachenko reported the issue to Byju’s directly on August 22, 2021. The misconfiguration was fixed soon after the researcher shared its details on X, the platform formerly known as Twitter, a day later.
How did Byju’s respond?
Byju’s confirmed to TechCrunch that it had fixed the security lapse but claimed “no data or information was exposed or compromised” during the week that the servers were exposed.
“There was a temporary exposure of a small fraction of our systems for a very short duration,” said Anil Goel, Byju’s chief technology officer, in a prepared statement. “Our technical team has promptly resolved this issue as soon as it came to our notice. We would like to reiterate that all our systems have been built around safeguarding the privacy and security of our data.”
Byju’s did not confirm the exact number of students affected and did not respond to a question regarding whether the company had notified students of the lapse. Byju’s also would not say if it had the technical means to determine what data, if any, was accessed or downloaded as a result of the security lapse.
Why does it matter?
The data exposure is a serious breach of trust and privacy for Byju’s customers, who entrust the company with their children’s education and personal information. The exposed data could be used by malicious actors for identity theft, fraud, phishing, or harassment. Moreover, the exposure could damage Byju’s reputation and brand value, which is currently estimated at $22 billion after raising $1.5 billion earlier this year.
The incident also raises questions about Byju’s security practices and compliance with data protection laws in India and other countries where it operates. Byju’s claims to follow “stringent data security norms” and be “certified under the highest standards of global security and safety” but did not provide any evidence or details to back up these claims.
The incident also highlights the need for more transparency and accountability from tech companies that handle sensitive user data, especially in the education sector where children are involved. Users should have the right to know how their data is collected, stored, processed, and protected by these companies, and what recourse they have in case of a breach.
What can users do?
If you are a Byju’s customer who is concerned about your data being exposed, here are some steps you can take:
- Contact Byju’s customer support and ask for more information about the incident and how it affects you.
- Change your password and enable two-factor authentication on your Byju’s account and any other accounts that use the same password or email address.
- Monitor your bank statements and credit reports for any suspicious activity or transactions.
- Be wary of any emails, calls, or messages that claim to be from Byju’s or WhiteHat Jr. and ask for your personal or financial information. Do not click on any links or attachments that you do not recognize or trust.
- Educate yourself and your children about online safety and privacy best practices.
What Can Businesses Learn From This?
- Data security is a crucial and ongoing responsibility for any business that handles sensitive user data, especially in the education sector where children are involved. Businesses should implement and maintain best practices for data protection, such as encryption, authentication, access control, and monitoring.
- Data breaches can have serious consequences for businesses, such as reputational damage, legal liability, customer churn, and financial loss. Businesses should have a contingency plan for responding to data breaches, such as notifying affected users, fixing the issue, and mitigating the impact.
- Data transparency and accountability are essential for building trust and loyalty with customers. Businesses should inform users about how their data is collected, stored, processed, and protected, and what rights and options they have regarding their data. Businesses should also be honest and proactive about disclosing and addressing any data incidents that may occur.
Conclusion
Byju’s is one of India’s most successful and influential tech startups, with over 100 million registered users and 6.5 million paid subscribers. It offers online courses for students from kindergarten to grade 12, as well as test preparation for competitive exams. It also owns WhiteHat Jr., which teaches coding skills to children aged 6 to 18.
However, Byju’s recent security lapse has exposed the sensitive data of some of its students, putting them at risk of identity theft, fraud, or harassment. The company has fixed the issue but has not been transparent or accountable about its impact or implications. Users should be vigilant and proactive about protecting their data and privacy, and demand more from Byju’s and other tech companies that handle their data.
