Diksha app glitch exposes 6 lakh students data: Report
Data of nearly 6 lakh Indian students have reportedly been exposed due to a glitch in the government's Diksha app. According to a report, the app's data was stored on an unprotected cloud server, exposing information such as names, email IDs, school records, and more. The app from the Indian government was launched by the Union Ministry of Human Resources and Development (now called the Ministry of Education) in 2017, mainly to train teachers in India with study materials. However, after the COVID-19 outbreak in 2020, the app added interactive study materials for students (from classes 1 to 12).
As per a report by Wired, a UK-based security researcher has identified the glitch in the government's app Diksha, an acronym for the Digital Infrastructure for Knowledge Sharing app. Although the report does not clarify the researcher's name, Human Rights Watch, in a publication, notes that Nathaniel Fried, co-founder of Anduin, the intelligence software company, identified the exposure.
The report states that data like full names, email addresses and phone numbers of more than 10 lakh teachers got exposed and unprotected on a cloud server. In addition, the data of some students, including email addresses and phone numbers, was partially hidden. However, the details, including the student's full names, information about their schools, enrollment dates, and course completion, were fully accessible. Some of the exposed data were available to Google, as the cloud server, hosted on Microsoft Azure, was not protected.
Direct bank-related details do not appear to be attached to the Diksha app; however, Hye Jung Han, a researcher at Human Rights Watch, told the publication that the scope of the exposure raises "traditional children's protection concerns." She points out, "If you have information about children's names, contact details, and what schools they attend, that tells you about the neighbourhood where they live. This raises what we call traditional children's protection concerns. They can also use children as a way to get to their parents—blackmail and harassment being fairly common, unfortunately, in India, specifically around education data."
It appears the researcher first discovered the flaw in June 2022. This was almost a month after Human Rights Watch claimed that Diksha and several other government-run educational apps collected sensitive information, such as location data, device models and more, and shared it with private companies, including Google. The same report noted that the Indian government even allowed teachers and students to use the app and did not provide any alternative.
Notably, the Diksha app was developed by EkStep, a foundation co-founded by Nandan Nilekani. Nilekani is known for his work at Infosys (a company he co-founded) and at Aadhaar (since he was president of UIDAI).