Following a major data leak at Kannur University, Kerala, wherein, details of over 33,000 students were found on a dark web portal, cybersecurity experts opine that educational institutions should enforce proper mechanisms to protect students' data.
A Kochi-based private cyber security firm, Technisanct, verified the leaked data of Kannur University while scanning dark web activities. The leaked data includes name, application number, email, password, Aadhaar number, phone number, admission details and year of passing. There are 321 records from 2018; 7,060 from 2019; 9,127 from 2020; 8,648 from 2021 and 7,874 records from 2022 on the portal, according to a report shared by the firm that EdexLive has a copy of.
"There are clear regulations from the Unique Identification Authority of India (UIDAI) on the storage of Aadhaar numbers. They are not supposed to store it as plain text and even if they are storing it, it has to be encrypted and the encryption key needs to be stored secretly. In this case, these regulations were violated," informed Nandakishore Harikumar, Founder and CEO of Technisanct.
In fact, educational institutions in India are one of the biggest targets for cyber threats, according to a report titled Cyber Threats Targeting the Global Education Sector, which also claims that there has been a 20 per cent increase of cyber threats in the global education sector. This is within the first three months of 2022 compared to the corresponding period of 2021.
It may be recalled that on November 23, the All India Institute of Medical Sciences (AIIMS), Delhi reported a failure in its server, which was down since 7 am, leading to chaos at the hospital as officials were left to manually manage the OPD (outpatient departments) and sample collection. This was the first attack of its kind on a premier health institution in the country.
How is the data collected?
Experts point out that educational institutions collect Personally Identifiable Information (PII) from students and their families. "The bonafide of students are collected at the time of admission which includes 10-15 years of history of the child that is kept on record. Moreover, certificates related to the income of the family are also asked for. A few institutes also store information about blood groups and other health records. These are kept in very unsafe systems and are not used properly," said Rupesh Mittal, Founder, Cyber Jagrithi Foundation and a cyber consultant.
Some experts say that collecting such information might be necessary for emergency purposes. "But the responsibility of protecting that data falls on the guardian and the institution too. A data protection law might bring some level of regulation and put pressure on institutions to ensure security," said Srinivas Kodali, an independent researcher on data security.
In fact, the University Grants Commission (UGC) made the appointment of a Chief Information Security Officer in universities compulsory to follow the Point of Action for the preparation and implementation of a Cyber Crisis Management Plan (CCMP) for countering cyber attack and cyber terrorism. "However, many educational institutions have not yet made any recruitments for this position," said Rupesh.
Other institutions, other instances
Such cases of data breaches are not uncommon in educational institutions. In 2018, data of students who took the National Eligibility Cum Entrance Test (NEET) was available for buyers through a website. The website claimed to have access to records of 2,50,000 students along with their gender, roll numbers, rank in the exam as well as mobile numbers, as stated by media reports.
Additionally, according to data shared by Technisanct, the personal information of about one million Kashmir University students and teachers including registration numbers, email IDs and passwords, were allegedly leaked by hackers in August 2022. This was just one of the cases among many, according to the data shared.
What should be done?
Experts emphasise on the maintenance of anonymity of students' data. "Students' names should not be mentioned anywhere. Roll numbers should be used. Additionally, their data must be stored in a stand alone system on campus and physical security must be ensured. Whosoever can access this system must be aware of the threats posed by cybersecurity," said Rupesh.
Although the Right to Privacy is guaranteed to citizens, there is no law that protects their data, said Srinivas. "Until there is some level of regulation, this problem is going to persist. We will have to see in what form the current Draft Digital Data Protection Bill will be passed. It does, however, relax a lot of rules for the private sector and government," he added.
Another cybersecurity expert, Rakshit Tandon, emphasises the need for strict cybersecurity laws. "Universities need to have a data security and privacy policy and must have experts keep a watch on campus activities. While there are courses that are teaching cybersecurity concepts to students, the university's security itself is zero. The staff must be educated on cyber safety," he said.
