At a time when investors are taking a hard look at India’s ed-tech following the Byju’s debacle, this Bengaluru-based company seems to have inadvertently let out sensitive student data through a technical glitch. Reports suggest that a server-side misconfiguration could have exposed data related to loans, payouts, and identity documents of its students.
A report published by TechCrunch claims that the volumes of sensitive data released could be in the millions, though the company itself denies this. However, it does confirm a security lapse but suggests that no data or information was exposed or compromised during the week that the servers were exposed.
Another blow to Indian ed-tech?
This comes at a time when growth equity firm General Atlantic has reportedly decided to distance themselves from India’s ed-tech companies. A report in MoneyControl claimed that they declined investment opportunities across two such companies in 2023. In fact, they aren’t the only ones as investments in Indian ed-tech have plummeted to a fifth since 2020-21.
Barely a few months ago, key investors in the company had cut the cord claiming that the Byju’s management were regularly disregarding their advice related to strategic, operational, legal and corporate governance matters. Additionally, there were also questions raised about ed-tech valuations in the country due to Byju’s developing story.
A brief breach, but no way of knowing the impact
Coming back to the data breach reports, TechCrunch quoted security researcher Bob Diachenko, who discovered the breach resulting from a wrongly configured Apache Kafka server. He noted that several IP addresses were with this server that anyone could have accessed and read the records without a password.
The data exposure was first reported by search engine Shodan on August 15, which was promptly brought to the notice of Byju’s on August 22. The issue was fixed within a day and reported on X (formerly Twitter). Diachenko believes a million to two million data records were accessible due to the issue.
However, Byju’s CTO admitted to a temporary exposure of a “small fraction of our systems for a very short duration. The prepared statement, however, was categorical that the technical team promptly resolved the issue. However, there was no mention of the exact number of records that were compromised or whether any of it was out in the open.
In fact, this is the second such breach coming from the server side, though the previous one happened at Byju’s third-party service provider’s end. Salesken.ai had exposed personal data about students including personal details, their academic choice of courses and other details that they had shared with WhiteHatJr., the coding platform acquired by Byju’s.
A data-breach that Byju’s could ill-afford
The data breaches couldn’t have come at a more inopportune time for the ed-tech giant, valued at $22 billion. Earlier this year, Deloitte exited from the company as its auditor for delays in presenting their financial statements. Around this time, Byju’s was also laying off employees, with as many as a thousand of them losing jobs in June itself.
In parallel, they had to face searches from government agencies checking for money laundering crimes besides a probe by the Ministry of Corporate Affairs amidst repayment challenges with those who had lent them a $1.2 billion term loan. Close on the heels of these developments, three key investors – Peak XV Partners (formerly Sequoia Capital), Prosus and Chan Zuckerberg Initiative – quit the Board.
In fact, some of the investors say that Byju’s is also a lesson for them in deciding how much debt they should allow the start-ups to accumulate in the growth phase. Ed-tech investments have dropped by 80% during 2022, says MoneyControl, while noting that during the first eight months of 2023, these firms raised $400 million, as against $2.4 billion in 2022.