Introduction
Byju’s, India’s most valuable startup and edtech giant, has recently faced a significant security lapse. A server-side misconfiguration exposed sensitive data of its students, including names, phone numbers, addresses, email IDs, loan details, links to scanned documents, and transactional information related to some students.
The Security Lapse
Security researcher Bob Diachenko discovered the exposure due to a misconfigured Apache Kafka server used by Byju’s to send and receive data in real-time. The researcher reported that there were several IP addresses with the misconfigured server, which enabled anyone to access the queue to read the records without a password.
"Anyone could have connected to the queue and read or download the messages," Diachenko told TechCrunch.
The data was first found to be exposed on August 15, according to Shodan, a search engine for exposed devices and databases. While the exact number of students whose data was exposed is unclear, Diachenko stated that one to two million records were accessible due to the issue.
Timeline of Events
- August 15: The data exposure was first detected by Shodan.
- August 22: Diachenko reported the issue to Byju’s directly.
- August 23: Diachenko posted details on X (formerly Twitter) about the misconfiguration, prompting Byju’s to fix the issue soon after.
Response from Byju’s
Byju’s confirmed to TechCrunch that it had fixed the security lapse. However, the company claimed "no data or information was exposed or compromised" during the week that the servers were exposed. Anil Goel, Byju’s chief technology officer, stated in a prepared statement:
"There was a temporary exposure of a small fraction of our systems for a very short duration. Our technical team has promptly resolved this issue as soon as it came to our notice. We would like to reiterate that all our systems have been built around safeguarding the privacy and security of our data."
Byju’s Infrastructure
The latest issue specifically affects Byju’s infrastructure, unlike a previous server-side issue in June 2021 affecting its third-party service provider Salesken.ai.
Challenges Faced by Byju’s
Byju’s is currently grappling with multiple challenges:
- Investor Exodus: Three key investors – Peak XV Partners (erstwhile Sequoia Capital India & SEA), Prosus, and Chan Zuckerberg Initiative – quit its board in June.
- Valuation Slashed: Prosus slashed the valuation of Byju’s to $5.1 billion in June from $6 billion it had valued until November.
- Auditor Exit: Deloitte made an early exit as Byju’s auditor due to delays in financial statements.
- Layoffs: The startup has continued to lay off employees, including up to 1,000 people in June.
- Investigations: Byju’s is under investigation by the Enforcement Directorate (ED) for alleged money laundering.
Conclusion
Byju’s recent security lapse highlights the importance of robust infrastructure and regular security audits. The company must take immediate action to address these concerns and ensure the safety and security of its students’ data.
