The Institute of International Education Exposed Thousands of Students

  • IIE has left two MongoDB instances online without setting up a password to protect them.
  • Thousands of students have had both their sensitive personal as well as their financial data exposed.
  • The organization exposing people in the worst time of their lives, leaving them vulnerable to identity theft vultures.

The US nonprofit student exchange and scholarship organization are known as the Institute of International Education (IIE) have goofed majorly by leaving two Mongo databases online without setting up any protection for their accessing. The result of this negligence which reporters like to call “misconfiguration” is the exposure of thousands of identification details of students who applied for exchange programs or scholarships, as well as about three million log files that don’t have much value. The discovery was made by security researcher Bob Diachenko who immediately notified IIE and helped them take the data offline.

At this point, the exact number of the compromised individuals is difficult to define since the databases contained fragments of personal data among millions of log files, but Diachenko estimates them to be in the thousands. As for the type of data that was spilled, this includes the following:

  • Passport scans
  • Visa documents and applications
  • Applications
  • Emails
  • Medical forms
  • Admission letters
  • Funding verification documents
  • Dossiers on students
  • Student transcripts
  • Enrollment information
  • Scholarship information
  • I-94s (US arrival and departure records)
  • Grant documents
  • W-4 federal tax withholding forms

As the above data are highly sensitive, the students are now running the risk of falling victims to identity theft actors. When personal and financial information is combined, the door to performing grave scams also opens up widely. A criminal could very easily open a new bank account by using the data that was exposed by IIE, issue credits cards on the students’ names, and do so by passing through all bank checks since college students have clean credit reports anyway. Other potential risks for the exposed individuals include phishing emails and highly targeted tax scams.

The Institute of International Education operates 18 offices around the world, runs 200 programs and has brought 5700 international students into US universities. Thus, the compromised students could come from any place in the world, and chances are that they’re not from the United States. This story reminds us of a similar blunder made by the AIESEC (Association Internationale des Etudiants en Sciences Economiques at Commerciales) almost a year ago, and which exposed the sensitive personal and financial information of approximately four million students who applied for scholarships on the organization. Educational institutes and non-profit organizations that accept such sensitive information from young students should start investing more of their budget on cybersecurity, as they are clearly not doing enough.


Recent Articles

10 Best Ultrawide Gaming Monitors in 2020

Ultrawide monitors are a relatively new trend in the world of computers, mainly because the technology required to make them feasible was not mature...

More Than 15 Billion Stolen Credentials Are Circulating Out There

Stolen credentials are sold by the billions today, as we have about 185 data breaches per day. Almost one-third of the stolen...

Here’s What We Know About Kilos, the Biggest Dark Web Market

One of the most infamous sites on the Dark Web was a search engine known as "Grams." Launched in 2014, Grams allowed users to search...

Zoom Announced the Launch of Its “Hardware as a Service” Program

Zoom calls companies to consider renting teleconferencing equipment from them and launches a new program. The hardware manufacturers that will support the...

The U.S. Copyright Office Says Pirates Shouldn’t Lose Their Internet Connection

Breaking the law is condemnable, but barring someone out of the internet world is unconstitutional. The U.S. Copyright Office is calling the...