Edtech company BYJU’s has acknowledged that there was a brief and temporary exposure of its systems. However, it added, there was no compromise on student data or information during this event.
Responding to the allegation by security researcher Bob Diachenko that BYJU’S had exposed personal information of students, including loan and payment details, Anil Goel, Chief Technology Officer at BYJU’S, said, in a statement, “There was a temporary exposure of a small fraction of our systems for a very short duration… no data or information was exposed or compromised during this event.
“Our technical team has promptly resolved this issue as soon as it came to our notice. We would like to reiterate that all our systems have been built around safeguarding the privacy and security of our data.”
On August 23, Diachenko wrote on X that BYJU’s had exposed the data of its customers via a “misconfigured service instance”.
“While there is no response from the company, personal data of students, including loan and payment details along with other info, is at risk,” he said.
According to a TechCrunch report, the data’s exposure was initially detected on August 15 through Shodan, a search engine. Diachenko said he notified BYJU’S about the issue. However, the company remained unresponsive until the details were disclosed on X. Subsequently, the misconfiguration was rectified, the report added.
A similar incident happened with BYJU’S in 2020 when sensitive information including student names, courses enrolled in, and the contact details of parents and educators were exposed on an unsecured server.
Diachenko has commented on X that the current situation is even more severe than the earlier event.