MongoDB instances at it again.
Another day, another data breach – This time, the Institute of International Education (IIE) in the United States has exposed highly sensitive records of users including foreign exchange students around the world.
For your information, among other things, IIE handles International Student Exchange, initiates programs of study and training for students, educators and professionals from various sectors around the world.
The incident in the discussion is related to two MongoDB databases owned by IEE that exposed the personal and financial data of students including documents uploaded on IEE’s website by students.
It is worth noting that although both databases were left exposed without any security authentication, they did not store the data on them but contained active links with access tokens allowing anyone to get their hands on the data.
According to a blog post by Bob Diachenko, the researcher who identified these databases, thousands of individuals have been affected by the breach. The analysis of the data revealed that it exposed the following:
Dossiers on students
Funding verification documents
Visa documents and applications
W-4 federal tax withholding forms
I-94s (US arrival and departure records)
The good news is that IIE took the matter seriously and secured the data based on Diachenko’s report. However, it is unclear if both databases were accessed by any third party with malicious intent. In case it did, it can turn into a nightmare where cybercriminals can use the data for identity theft, blackmailing and phishing scams.
According to Anurag Kahol, CTO at Bitglass, “Managing students’ medical forms, passport scans, visa documents as well as other highly sensitive data, makes the Institute of International Education an attractive target for cyberattacks.”
“While there is no evidence that the data has been misused, the temporary exposure still opened up a window for threat actors to access the vulnerable data in order to use it to commit identity theft or launch highly targeted phishing attacks toward the impacted students. Consequently, the nonprofit may face costly penalties for violating compliance regulations, such as CCPA, GDPR and even HIPAA,” Kahol warned.
He also advised that “organizations must take the proper cloud security steps in 2020, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their databases, maintain compliance with regulations, and protect the sensitive data that they have been entrusted with.”
If you are a foreign exchange student or uploaded your data on the Institute of International Education’s website, you should get in touch with the institute.