The Institute of International Education (IIE) operates hundreds of international scholarship and fellowship programs that cover in excess of 29,000 students, from 185 countries, every year. The organization is headquartered in New York.
It has been announced that the IIE left sections of its database unprotected and open to public search. The weakness was discovered by security researcher Bob Diachenko, who proceeded to notify the IIE upon discovering the data so that it could be secured. It remains that students may still be at risk of identity theft and fraud.
The exposed database contained about 3 million log files, but the security researcher found that thousands of them had links with active access tokens to sensitive personal documents that students uploaded to IIE’s website such as:
Passport scans
Visa documents and applications
Applications
Emails
Medical forms
Admission letters
Funding verification documents
Dossiers on students
Student transcripts
Enrollment information
Scholarship information
I-94s (US arrival and departure records)
Grant documents
W-4 federal tax withholding forms
Looking into the issue Vinay Sridhara, CTO, Balbix tells Digital Journal about the importance of the potentially compromised data: “The Institute of International Education collects troves of highly sensitive and personal data of students around the globe and must take a stringent approach to protecting that data. ”
Sridhara indicates that the situation is not atypical: “Unfortunately, the recent data leak caused by a simple security flaw experienced by the IIE is one that we have seen over and over. Companies continue to compromise data and suffer costly breaches due to exposed, unsecure databases left open and accessible to anyone online without basic protection such as a password. It was just over a month ago that Wyze leaked 2.4 million users’ data because no security protocols were configured to protect the database.”
in terms of the importance of the data, Sridhara states: “Given that the leaked documents contained valuable information including passport scans, medical forms and tax withholding forms, students associated with the IIE should take caution. The data can be leveraged to craft targeted phishing campaigns, scholarship scams or tax scams to prey on unsuspecting students. ”
As to what similar organizations need to do as part of preventative actions, says: “To mitigate vulnerabilities across an organization’s entire IT infrastructure and safeguard databases, it is vital that organizations achieve clear and comprehensive visibility over all assets, threats and risks across their networks. Effective security strategies that actively monitor for and quantitively assess all possible vulnerabilities, will enable companies to easily and quickly identify and patch unsecure databases before it’s too late.”
