Lack of Online Security Measures Causes More Than 1 Million Students' Personal Data to Be Exposed to Threats

2020 has been a wild roller-coaster ride so far. CIVD-19 locked everyone in and forced many industries and service providers that organized events or otherwise relied on massed gatherings of people to move their services online. The silver lining is that this unfortunate turn of events gave many platforms the opportunity to shine and pushed businesses and service providers to adapt, innovate, and make the most of a bad situation. Unfortunately, this peak in online activity could not pass by without malicious actors getting involved.

In an interesting turn of events, declarations from successful hacker outfits popped up on the dark web, announcing that said hackers will not attack hospitals and other healthcare providers as a sign of solidarity in these turbulent times. Not all cybercriminals have committed to this action, naturally, but it does demonstrate that some of them are just villainous, rather than truly monstrous.

Unfortunately, while hospitals and healthcare providers may be safe from the depredations of some hackers, the rest of the infrastructure needed to keep society running isn’t. This includes schooling, which has largely been moved online and is still at risk. And, as the OneClass debacle shows us, the companies that provide such services need to get their act together.

The e-learning platform based in Toronto, Canada, has been around for more than a decade and is currently actively schooling more than sixty thousand students online, with the real number of its users actually being much higher than that.

According to VPNMentor, their experts stumbled upon an improperly secured database belonging to OneClass. Said database was purportedly freely available on the Internet, because of OneClass’ failure in “securing its servers, implementing proper access rules and never leaving a system that doesn’t require authentication open to the internet.”

Thankfully, it doesn’t seem like a hacker had sniffed out the data and stolen it, but the fact that the personally identifiable information of current students, rejected students, and academics could have easily have been stolen and leaked rises some serious alarm bells.

For their part, OneClass immediately took actions to secure their database and claimed that it was just a test server and did not contain any crucial details, such as financial information or anything of the sort. However, the fact remains that due to poor management of their online activities, a vast trove of 8.9 million records could have ended up leaked online.

That’s approximately 27GB worth of data of people from all walks of life and ages – some of them as young as 13 years old, that could have fallen in the hands of undesirables and been used for nefarious ends.

The silver lining in all of this is that, at the end of the day, no crucial information seems to have actually been leaked. However, this does starkly highlight the need for companies to take cyber-security seriously. The way it is described by VPNMentor, it seems like OneClass’ situation was a disaster waiting to happen, and it’s only good luck that kept the data of millions of users from falling into the wrong hands.

And it’s very important to understand the consequences of a data breach, such as the one that could have happened to OneClass. While the scandal and ruined reputation that comes hand in hand with such a major event is certainly nothing to sneeze at, once a company gets breached, it needs to report the event promptly to the proper authorities and notify all users that their safety is compromised. The breach itself, as well as any negligence in reporting, then opens the company to detailed investigations and, most likely – exorbitant fines. As evidenced by research on the matter, the average cost of a data breach for the victim totals at more than half a million dollars – and it bears remembering that the bigger the platform that was breached is, the more this number grows. All of this can easily bankrupt a company - and it often does.

So What Can be Done About This Situation?

  1. Companies need to get their house in order. They need to be aware that there are malicious actors out there willing to attack them, regardless of how innocuous the target they present. They need to invest in proper security for their online infrastructure and educate their staff on the dangers that lurk online so that they can minimize the chances of being breached.
  2. Regular users need to be wary. It pays to regularly check whether any of your accounts have been compromised in any way. There are several platforms on the Internet that provide such a service. Additionally, it’s a good idea to be on the lookout for news about data breaches and other similar infractions related to companies whose platforms you actively use. Naturally, you will also need to adhere to the best practices for keeping your accounts safe from hackers, as usual.
July 21, 2020

Leave a Reply