India-based educational technological company Byju’s becomes embroiled in a data security incident after having its server exposed by Salesken.ai. The server in question has reportedly been unprotected for at least two weeks from around June 14, 2021.
The server was left unprotected since at least June 14, according to historical data provided by Shodan, a search engine for exposed devices and databases. Because the server was without a password, anyone could access the data inside.
Salesken.ai provides customer relationship technology to companies like Byju’s to engage better with customers. The Bengaluru-based startup raised $8 million in Series A funding from Sequoia Capital India in 2020, two years after the company was founded.
Much of the data contained on the exposed server pertained to WhiteHat Jr., an online coding school for students in India and the U.S., which Byju’s bought for $300 million in 2020. Byju’s is currently valued at more than $16 billion after raising $1.5 billion earlier this year.
Chief executive officer and co-founder of Salesken.ai, Surga Thilakan, told Tech Crunch in an interview that “Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight.”
Among the information compromised by the exposed server include Byju’s student data. These include student names, the classes these students have taken, as well as the contact information of students such as their email addresses.
Apart from these, the phone numbers of parents and teachers have also been made vulnerable. The unprotected server also includes chat logs between parents and the staff of WhiteHat Jr. and comments of teachers regarding their students.
The company also would not say if it has logs or any evidence to determine if data was accessed or downloaded as a result of the security lapse.
Following the incident, WhiteHat Jr. spokesperson Sameer Bajaj maintained that they were in contact with Salesken.ai. The coding school also said that they will be taking the necessary taking steps “in accordance with our rigorous security policies.”