Pierluigi Paganini November 24, 2023

Almost a million files with minors’ data, including home addresses and photos were left open to anyone on the internet, posing a threat to children.

During a recent investigation, the Cybernews research team discovered that IT company Appscook – which develops applications used by more than 600 schools in India and Sri Lanka for education management – leaked a staggering amount of sensitive data, including photos of minors, home addresses, and birth certificates, due to a misconfiguration of their systems.

The DigitalOcean storage bucket, containing almost a million sensitive files, was left open to anyone without requiring authentication. Leaking private data on the internet, in this case, poses a grave risk, as most of the leaked files expose minors.

• Students’ names
• Names of parents
• Pictures of students attending pre-primary, primary, and secondary schools
• Names of the schools children attend
• Birth certificates
• Fee receipts
• Student report cards/exam results
• Home addresses
• Phone numbers

The company’s 96 school-specific apps aim to support online classes and enable direct communication between parents and schools regarding their child’s academic performance and daily activities. According to the company’s website, more than half a million students and over a million parents use the platform.

Cybernews reached out to Appscook but has yet to receive a response.

A huge threat to children

The leak raises concerns about cybercriminals’ potential misuse of this personal information. The exposed details, particularly home addresses and personal photos, create a disturbing scenario where malicious actors could exploit the vulnerability of children by attempting to extort their parents.

“The leaked data about minors could have dire consequences, as this information can put children at physical risk by revealing their daily whereabouts. It can also be used by someone with malicious intent to impersonate school officials or manipulate children and parents,” said Vincentas Baubonis, Information Security Researcher at Cybernews.

While children may not be as susceptible to digital fraud as adults, threat actors could exploit the leaked personal data for identity theft, fraud, and targeted phishing campaigns against the parents of these children.

In the worst-case scenario, the leak might increase the risk of child abuse. According to the researcher, sharing children’s images can lead to unwanted attention, including from predators.

More details on the original post at: https://cybernews.com/security/appscook-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, schools)