The Institute of International Education (IIE), a US nonprofit that focuses on foreign exchange study and scholarship, exposed a database on the web containing thousands of logs and links to private student documents. The database was accessible without a password or any other authentication.
Although the database itself did not contain documents, it did contain links with active access tokens to documents stored elsewhere. Links to passport scans, application forms, visas, emails, and other documents were discovered by security researcher Bob Diachenko. He immediately notified IIE upon discovering the data so that it could be secured. However, students might still be at risk of identity theft and fraud.
Diachenko explains that IIE used Drupal, a content management system, which stored the documents in watchdog logs on two identical MongoDB databases hosted at different IP addresses. Both were misconfigured and allowed anyone access.
It’s difficult to gauge how many students are impacted because the personal documents are buried among 3 million other logs, but Diachenko estimates the number of affected persons is in the thousands, if not more.
Timeline of the exposure
The documents were accessible to anyone with a web browser for more than a week before IIE secured them.
- January 29, 2020 — The two identical MongoDB instances were first indexed by search engines
- January 29, 2020 — Diachenko found the misconfigured databases and immediately notified IIE
- February 6, 2020 — IIE secured the data.
We do not know if any other unauthorized parties accessed the database while it was exposed, but it’s likely given the timeframe.
Remarkably, IIE did not respond to numerous requests to comment on this incident. We will update this report if/when we hear back from the organization.
What data was exposed?
The database is comprised of about 3 million log files, most of which are uninteresting. But Diachenko estimates thousands of them contain links with active access tokens to sensitive personal documents uploaded to IIE’s website by students, including:
- Passport scans
- Visa documents and applications
- Medical forms
- Admission letters
- Funding verification documents
- Dossiers on students
- Student transcripts
- Enrollment information
- Scholarship information
- I-94s (US arrival and departure records)
- Grant documents
- W-4 federal tax withholding forms
Timestamps in the database indicate new data was still being uploaded until access was secured. The documents were uploaded as early as 2018, though the documents themselves might have been older.
Dangers of exposed data to international students
Identity theft is a clear risk to students whose data was exposed. An identity thief couldn’t ask for a better payload. The alarming amount of personal and financial data would make it easy for a criminal to open up new accounts and lines of credit in victims’ names, for example.
College-aged students are prime targets for identity theft because they often have clean credit reports and decent credit scores. We strongly urge impacted students to check their credit reports regularly in the upcoming months.
Tax fraud is another threat, so impacted students should be on the lookout for tax scams during the upcoming tax season.
Fraudsters might target affected students with scholarship scams and phishing campaigns, using their personal information to craft targeted messages.
The Institute of International Education is a US 501(c)(3) nonprofit organization with 18 offices in more than a dozen countries. It governs more than 200 programs serving 29,000 people from nearly every country in the world. That includes more than 5,700 international students placed at US universities. Some of the programs it administers and funds include partners such as the Fulbright Student Program, TechWomen, Carnegie Fellows, the US Department of Defense, Cargill Global Scholars Program, and USAID. Most of its funding comes from US government agencies.
The IIE has a broad purview but much of its efforts go toward managing international student exchange programs and various types of financial assistance including scholarships, fellowships, and grants for international students. Students can apply for programs and financial assistance through the IIE.org website.
How and why we discovered this exposure
Our goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide.
Our extensive cybersecurity knowledge lends itself well to searching for and analyzing data leaks. Our due diligence demands that we make every attempt to identify who is responsible and notify them as quickly as possible.
Our hope is to minimize harm to end users whose data was exposed. We take steps to find out what each database contained, for how long it was exposed, and what threats to end users might arise as a result. Our findings are compiled into reports like this one to raise awareness and curb misuse of personal data by malicious parties.