Libyan Ministry of Education global student data leaked

Information security specialist from a cyber security firm, WizCase revealed data leak of Libyan Ministry of Education, from an open Elasticsearch database holding 2GB of students data from all over the world (complete report here), including countries like:

1. UK
2. Egypt
3. Turkey
4. USA
5. Canada
6. France
7. South Africa
8. Australia

The WizCase discovered a 2GB data hosted in Germany server, contained personal details of over 55,000 exchange students from around the world. The leaked data included:

• Full Name
• Email address
• Passport and ID numbers
• Date of Birth
• Photos
• Degrees
• Country of Origin
• Destination Country
• Marital Status
• Phone Number
• Thesis Details
• Transfer approval decision
• Start and end dates of the educational programs
• Tuition Costs
• Scanned copies of formal letters directed at the students
• Student Information (student number, user status, start & end dates, etc.)
• Employer

Consequences of Such data Leak

As the data contains students private information, they are prone to further attacks, which includes:

• Identity Theft
• Phishing
• Catfishing
• Phone Call Scam

How did this happened

The website of Libyan Ministry of Education uses student portal with unsecured Elasticsearch, which is not protected enough for security. Also data found is in clear text which can be a big threat for the students privacy issues.

Team has contacted the Libya’s Ministry of Education and Libya’s Computer Emergency Response Team (CERT) which failed to reply. Hosting provider is also contacted, which responded in a cold reply to contact customer directly. Finally, Africa’s CERT has been reported for leak, which further contacted Libya’s Ministry of Education.