Misconfiguration in BYJU’S server exposed some students’ sensitive data, including their loan and payment details, according to security researcher Bob Diachenko
BYJU’S told Inc42 that the glitch happened for a short period of time and no data was compromised
The incident adds to the woes of BYJU’S, which has been plagued with multiple controversies pertaining to corporate governance, funding crunch, layoffs, among others
A security researcher has claimed that a technical glitch at BYJU’S exposed sensitive data of students, including their loan and payment details. However, the embattled edtech giant told Inc42 it was a temporary glitch and no data was compromised.
The glitch came to notice after security researcher Bob Diachenko posted on X (formerly Twitter) about it on August 23. “Byju’s, an education technology giant and India’s most valuable startup, exposed data of its customers via misconfigured service instance. While there is no response from the company, personal data of students, incl. loan and payment details along with other info, is at risk,” he said.
TechCrunch reported that names, addresses, phone numbers and email IDs of the students were also exposed.
However, BYJU’S said that no personal data was exposed. “There was a temporary exposure of a small fraction of our systems for a very short duration. Please note, no data or information was exposed or compromised during this event,” BYJU’S CTO Anil Goel said.
“Our technical team has promptly resolved this issue as soon as it came to our notice. We would like to reiterate that all our systems have been built around safeguarding the privacy and security of our data,” Goel added.
Back in 2021, a similar case was reported with BYJU’S data that involved a security lapse and “this time it is much worse”, Diachenko’s post on X said.
Diachenko told TechCrunch there were several IP addresses with the misconfigured server that enabled anyone to access the queue to read the students’ records without a password.
The company used the misconfigured Apache Kafka server to send and receive data in real time, he said.
The misconfiguration was apparently fixed after the researcher’s post on X.
Earlier in 2020, personal data of 2.8 Lakh students and teachers enrolled on BYJU’S-owned WhiteHat Jr was reportedly exposed due to vulnerabilities in the company’s server.
Diachenko reportedly claimed 1 Mn-2 Mn records were accessible due to the latest issue at the startup.
BYJU’S Many Troubles
The incident adds to the woes of BYJU’S, which has been plagued with multiple controversies and issues pertaining to corporate governance, funding crunch, layoffs, delay in filing financial statements, and $1.2 Bn Term Loan B.
The beleaguered edtech decacorn also witnessed a major overhaul of its board and core team recently.
In June this year, three of its board members, including GV Ravishankar, MD of early-backer Peak XV Partners, resigned, along with representatives of Prosus and Chan Zuckerberg Initiative.
BYJU’S former auditor Deloitte also quit from its role citing the delay in the filing the financial statements for FY22.
The company’s SVP for international business, Cherian Thomas, left the company this month.
Meanwhile, the startup recently roped in former Infosys executive VP and HR head Richard Lobo as an exclusive advisor in an attempt to transform its HR function. BYJU’S has also hired former upGrad CEO Arjun Mohan as the CEO of its international business.
The edtech company also appointed former SBI Chairperson Rajnish Kumar and ace investor TV Mohandas Pai as members of its advisory council in July.
