WhiteHat Jr, a popular online coding platform for young kids, allegedly exposed the data of over 2.8 lakh students and teachers due to multiple vulnerabilities. The platform claims that it had fixed the flaws after it was informed by a security researcher. It also claimed that “no breach of data has happened” due to the loopholes.
The researcher who discovered the vulnerabilities said that the issue existed due to a misconfigured backend server that exposed data including student names, age, gender, profile photos, user IDs, parents name, and progress reports. The data is said to have included the details of a large number of minor students. The platform was informed of this issue on November 19.
Salary details of WhiteHat Jr employees as well as its internal documents and dozens of recorded videos of online classes being conducted by the platform were also exposed, according to the researcher.
The researcher reportedly got a response within a day after emailing its Chief Technology Officer Pranab Dash on November 19 and 20.
“WhiteHatJr takes security and privacy issues very seriously. We are committed to both our customers and to our compliance with applicable laws. Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours. We reiterate that no breach of data has happened in this context on company’s computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case. We regularly undertake and continue with various initiatives to strengthen our Security and Privacy set-up and have also retained external security experts to assist us,” the platform said in a statement.
Sonit Jain, CEO of GajShield Infotech – a security solutions platform, said that dependency on older security approach to secure newer data threats leading to incidents like this.
“Human errors are very common and these errors lead to data breaches. With cloud being more convenient for enterprises to allow access to data for business operations, making this move without proper precautions can be disastrous for data security. This move must be backed by a strong data security approach with the ability to gain complete visibility on their entire threat surface, including internal threat vectors and the understating of how this data is being handled. This must also be followed by regular vulnerability check on their security infrastructure, especially for their cloud data,” he said.