The Institute of International Education (IIE) has unwittingly exposed a database containing the personal information of thousands of students.
Security researcher Bob Diachenko, who discovered the database, explained that IIE utilised a content management system, Drupal, which stored the documents on two identical MongoDB databases hosted at different IP addresses.
Both databases were misconfigured and left open without a password or any other authentication, thus accessible to anyone.
The database contained three million log files, of which Diachenko estimates that thousands of them contain links with active access tokens to sensitive personal documents including passport scans, visa documents and applications, emails, medical forms, admission letters, funding verification documents, grand documents, W-4 federal tax withholding forms and more.
The documents were uploaded as early as 2018, and the timestamps in the database indicate that the data was still being uploaded until access was secured.
Diachenko estimates that the number of affected students is in the thousands as the personal documents are buried among the log files.
“An identity thief couldn’t ask for a better payload. The alarming amount of personal and financial data would make it easy for a criminal to open up new accounts and lines of credit in victims’ names, for example,” warned Security Discovery.
Students are attractive targets for identity theft due to often having clean credit reports and decent credit scores.
Those impacted are urged to check their credit reports regularly in the upcoming months, in addition, students should be on the lookout for tax scams.
The post #Privacy: US non-profit exposes private student documents appeared first on PrivSec Report.