The US nonprofit student exchange and scholarship organization are known as the Institute of International Education (IIE) have goofed majorly by leaving two Mongo databases online without setting up any protection for their accessing. The result of this negligence which reporters like to call “misconfiguration” is the exposure of thousands of identification details of students who applied for exchange programs or scholarships, as well as about three million log files that don’t have much value. The discovery was made by security researcher Bob Diachenko who immediately notified IIE and helped them take the data offline.
At this point, the exact number of the compromised individuals is difficult to define since the databases contained fragments of personal data among millions of log files, but Diachenko estimates them to be in the thousands. As for the type of data that was spilled, this includes the following:
As the above data are highly sensitive, the students are now running the risk of falling victims to identity theft actors. When personal and financial information is combined, the door to performing grave scams also opens up widely. A criminal could very easily open a new bank account by using the data that was exposed by IIE, issue credits cards on the students’ names, and do so by passing through all bank checks since college students have clean credit reports anyway. Other potential risks for the exposed individuals include phishing emails and highly targeted tax scams.
The Institute of International Education operates 18 offices around the world, runs 200 programs and has brought 5700 international students into US universities. Thus, the compromised students could come from any place in the world, and chances are that they’re not from the United States. This story reminds us of a similar blunder made by the AIESEC (Association Internationale des Etudiants en Sciences Economiques at Commerciales) almost a year ago, and which exposed the sensitive personal and financial information of approximately four million students who applied for scholarships on the organization. Educational institutes and non-profit organizations that accept such sensitive information from young students should start investing more of their budget on cybersecurity, as they are clearly not doing enough.