The Institute of International Education (IIE), a century-old educational organisation that operates numerous leading international scholarship and fellowship programmes across multiple countries, was detected to have left sections of its database unprotected and open to public search. The vulnerable database was detected by security researcher Bob Diachenko, who found the databases indexed in public domain on January 29th. He subsequently reported the vulnerability to the IIE, but states that he received no communication from IIE after multiple efforts to reach out to the organisation.
Thankfully, IIE patched the open database that contained access to private data of thousands of students on February 6. No communication was made between IIE and Diachenko, who reported the breach, regarding either any acknowledgement of the vulnerable database, or a verification of the flaw being patched. News18 had also independently reached out to multiple points of contact at IIE, but failed to receive a response after 10 days of contacting the organisation.
The database that was exposed on the public domain did not contain direct entries of sensitive student documents, but contained links that allowed access to such documents stored in other parts of the server. The documents in question included passport scans, visa documents, medical forms, funding verification details, student dossiers, and more. A full draft of details can be found in Diachenko's official blog.
The IIE reportedly governs over 200 educational programmes that cover over 29,000 students every year. Programmes supported by the IIE include the Fulbright Scholarship, Cargill Global Scholars, Carnegie Fellows and more elite international education programmes based mainly in the USA.
Elucidating the risk that the IIE open database could have brought, Diachenko states, “The alarming amount of personal and financial data would make it easy for a criminal to open up new accounts and lines of credit in victims’ names. College-aged students are prime targets for identity theft because they often have clean credit reports and decent credit scores.”
Since the open database was left unprotected even after multiple attempts to contact the organisation were made, it is possible that the database may have been preyed upon by malicious actors. However, such data breaches cannot be confirmed as yet. Questions sent to IIE related to the issues remained unanswered in over one week of attempts being made to contact the concerned authorities.