• IIE has left two MongoDB instances online without setting up a password to protect them.
  • Thousands of students have had both their sensitive personal as well as their financial data exposed.
  • The organization exposing people in the worst time of their lives, leaving them vulnerable to identity theft vultures.

The US nonprofit student exchange and scholarship organization are known as the Institute of International Education (IIE) have goofed majorly by leaving two Mongo databases online without setting up any protection for their accessing. The result of this negligence which reporters like to call “misconfiguration” is the exposure of thousands of identification details of students who applied for exchange programs or scholarships, as well as about three million log files that don’t have much value. The discovery was made by security researcher Bob Diachenko who immediately notified IIE and helped them take the data offline.

At this point, the exact number of the compromised individuals is difficult to define since the databases contained fragments of personal data among millions of log files, but Diachenko estimates them to be in the thousands. As for the type of data that was spilled, this includes the following:

  • Passport scans
  • Visa documents and applications
  • Applications
  • Emails
  • Medical forms
  • Admission letters
  • Funding verification documents
  • Dossiers on students
  • Student transcripts
  • Enrollment information
  • Scholarship information
  • I-94s (US arrival and departure records)
  • Grant documents
  • W-4 federal tax withholding forms

As the above data are highly sensitive, the students are now running the risk of falling victims to identity theft actors. When personal and financial information is combined, the door to performing grave scams also opens up widely. A criminal could very easily open a new bank account by using the data that was exposed by IIE, issue credits cards on the students’ names, and do so by passing through all bank checks since college students have clean credit reports anyway. Other potential risks for the exposed individuals include phishing emails and highly targeted tax scams.

The Institute of International Education operates 18 offices around the world, runs 200 programs and has brought 5700 international students into US universities. Thus, the compromised students could come from any place in the world, and chances are that they’re not from the United States. This story reminds us of a similar blunder made by the AIESEC (Association Internationale des Etudiants en Sciences Economiques at Commerciales) almost a year ago, and which exposed the sensitive personal and financial information of approximately four million students who applied for scholarships on the organization. Educational institutes and non-profit organizations that accept such sensitive information from young students should start investing more of their budget on cybersecurity, as they are clearly not doing enough.