Edraak, a nonprofit online education organization, revealed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently in error.
The non-profit organization, founded by Jordan’s Queen Rania and based in the kingdom’s capital, was established in 2013 to promote education in the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford and MIT.
In February, researchers at UK cybersecurity firm TurgenSec discovered one of Edraak’s cloud storage servers containing at least tens of thousands of student data, including spreadsheets with student names, their email addresses, gender, year of birth, country of nationality and some grade marks.
TurgenSec, which operates Breaches.UK, a security incident disclosure site, alerted Edraak to the security failure. A week later, their email was recognized by the organization but the data continued to spread. Emails seen by TechCrunch show that researchers attempted to alert others who worked in the organization through requests from LinkedIn and its partners, including the British Council.
Two months have passed and the server has remained open. At his request, TechCrunch contacted Edraak, who shut down the servers a few hours later.
In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was “intended to be publicly accessible and to host items of public course content, such as images. of coursework, videos and educational files ”, but that“ student data is never intentionally placed in this bucket. “
“Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket,” Halawa confirmed.
“Unfortunately, our initial analysis did not locate the stray data that accidentally got there. We’ve attributed the elements of the Breaches.UK email to regular student downloads. We have now located these misplaced reports today and fixed the problem, ”said Halawa.
The server is now closed to public access.
It’s unclear why Edraak ignored the researchers’ initial email, which revealed the location of the unprotected server, or why the organization’s response was not to ask for more details. When reached, British Council spokeswoman Catherine Bowden said the organization received an email from TurgenSec but mistook it for a phishing email.
Edraak CEO Halawa said the organization had already started informing affected students about the incident and published a blog post on Thursday.
Last year, TurgenSec found an unencrypted customer database owned by UK internet provider Virgin Media that was left online by mistake, containing recordings linking some customers to adult and explicit websites.
More from TechCrunch:
Send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.