UGC Data Breach Exposes Personal Details of 130,000 Students, 3,000 Professors

Kathmandu. A major cybersecurity vulnerability at the University Grants Commission (UGC) has exposed sensitive personal and financial data of thousands of students and professors, raising serious concerns over data protection and digital governance in Nepal. 

The breach, linked to weaknesses in the commission’s system developed by Debug Soft, reportedly stemmed from inadequate API authorization and authentication mechanisms. As a result, personal details of around 130,000 students and nearly 3,000 faculty members were accessible online without any security safeguards. 

The security flaw allowed users to access data through a publicly exposed API endpoint by simply altering identification numbers in the URL. Information available included full names, dates of birth, citizenship numbers, issuing districts, and images of citizenship documents. Additional details such as mobile numbers, email addresses, parents’ information, and academic records were also exposed. 

In the case of professors and staff, the data leak was even more severe, with sensitive financial information. The details included their bank name, bank account number, PAN number, and financial information such as appointment letters, which were accessible on the internet without any security.

Cybersecurity experts identified the flaw as an “Insecure Direct Object Reference” (IDOR), a critical vulnerability that allows unauthorized access to data. Technical analysis indicated that the entire database could potentially be extracted programmatically due to the absence of authentication protocols. 

Cybersecurity expert Bijay Limbu described the incident as a case of “extreme negligence,” stating that even basic security standards were ignored. “APIs should always be secured through proper authentication. If data is accessible without any verification, the system effectively has zero security,” he said, warning of risks including identity theft, financial fraud, and misuse of national identity information. 

The incident has caused alarm among affected individuals. Several students and faculty members said they were unaware that their personal data would be publicly accessible. One student, requesting anonymity, said she was shocked to learn that her citizenship number and family details had been exposed. Another student expressed concern that the leak of bank account and PAN details could lead to financial fraud. 

Professor Indra Prasad Bhattarai said he was unaware of the vulnerability until recently, despite having submitted personal information to the commission. “If such data is misused, who will be held accountable?” he questioned. 

Cybersecurity analysts warn that the scale of the breach could have far-reaching implications. Leaked financial and identity data could be exploited for phishing, fraudulent KYC processes, identity theft, and unauthorized SIM registrations. 

UGC officials have acknowledged the issue, stating that the vulnerability allowed unauthorized access through the API. “The system was inadvertently made public due to a technical error. We have since shut down access and are working to fix the issue,” a technical staff member said.

Suresh Basnet, founder of Debug Soft, also admitted shortcomings in the system, attributing the breach to the absence of individual authentication and premature deployment during the development phase. He said the issue has now been addressed and measures are being implemented to ensure secure, token-based access. 

Despite these assurances, the incident has raised serious questions about adherence to basic cybersecurity standards, particularly given that highly sensitive real-world data was exposed while the system was still under development. 

पछिल्लो अध्यावधिक: बैशाख २२, २०८३ १७:२९

टिप्पणीहरू