An unsecured server at Salesken.ai, a technology provider to e-learning portal Byju’s, had put student data at risk of a leak. TechCrunch reported the server had been unprotected since at least 14th June 2021.
What all details were available?
Data found on the server contained student names and classes along with email addresses and phone numbers of parents and teachers. It also contained log chats between parents and staff and teachers’ comments on their students. Copies of email with codes to reset user accounts and internal Salesken.ai data were also found on the server.
Much of the data contained on the exposed server pertained to WhiteHat Jr., an online coding school for students in India and the U.S. Byju’s acquired this in 2020.
The flaw was detected by a security researcher, Anurag Sen. He asked TechCrunch to help report it to the company. Shortly after this, the server pulled offline.
What is Salesken?
It is a Bengaluru-based start-up. It provides customer relationship technology to companies like Byju’s to increase their sales and market cap.
Its CEO & Co-founder Surga Thilakan, said “the start-up was “evaluating” the security incident but did not dispute what kind of data was found on the exposed server. Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India-based end-of-life sales logs for a fortnight.”
She further said, “Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device.”
WhiteHat Jr’s Response
Their spokesperson Sameer Bajaj said, “Salesken.ai, is one of the WhiteHat Jr’s vendors for India operations. He said, they are communicating with Salesken about the incident and will take appropriate action under our rigorous security policies.”