OneClass app, a popular remote learning platform recently suffered a data breach from its unsecured Elasticsearch framework hosted on Amazon Web Services (AWS) that exposed the personal information of over 1 million students.
The e-learning platform is based in Toronto, Canada, and was founded in 2010. Currently, the platform claims to have more than 600,000 students taking their academic studies online, however, the real number is much higher.
Security researchers at vpnMentor discovered the publicly available database of the app that sized over 27GB and contained PII and educational data of the students from North America and other regions.
“The database leaked over 8 million records, exposing users’ data, including full names, email addresses, phone numbers, schools and universities attended, etc.,” vpnMentor research team told Quickcyber.
“It’s also possible that some of the data belongs to minors, as OneClass includes resources for high school students and accepts users from 13 years old and above,” vpnMentor said in their report. “Many records also included additional information on individual students and their courses, including faculty details and access to otherwise protected textbooks and “Question and Answer” exercises.”
The team said they discovered the unsecured database on May 20, 2020, and notified OneClass about it on May 25, 2020.
“In response, OneClass immediately secured the database (on May 26, 2020) but claimed that it was a test server, and any data stored within had no relation to real individuals.”
“OneClass users are very young – including minors – and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk,” researchers said.
Read Also: Maze Ransomware Now Targets LG Electronics
“As stated on its website, OneClass user data is subject to the United States’ privacy laws. Furthermore, the company’s servers are located in the US, along with most of its users. As a result, it falls within the jurisdiction of California’s CCPA data privacy law and broader regulations across North America,” vpnMentor further added in their report.
“The company is thus required to take specific steps in response to this data breach and may face auditing or investigations from regulatory agencies. Such outcomes could take considerable time and even result in fines,” the report concluded.