The Cambridge Institute of International Education (CIIE) has secured a MongoDB database that exposed the details of over 9,000 international students studying in the US, along with data on 12,000 host families.
The student information contained details such as real names, contact emails, phone numbers, CIIE account details, CIIE account passwords, family information, and passport details.
The researchers found the data in a MongoDB database that featured no authentication on the root account, a common problem with older versions of MongoDB.
The database was found via Shodan
MacKeeper Security Research, the security team that found the database using Shodan, contacted CIIE so that the company would secure their data. The researchers didn't get any answers, but with the help of a reporter, CIIE staff secured the database within an hour after receiving a phone call from the said reporter.
Besides the student information, the MacKeeper team also says they found detailed information on over 12,000 families that agreed to house international students.
For the host families, researchers found medical records, job information, emails, phones, birth dates, religious beliefs, living conditions, and more.
MacKeeper researchers also found reports on student conflicts, personal problems, and even internal CIIE communications.
CIIE is not the first educational institute to leak student information
The Cambridge Institute of International Education is a privately owned consulting firm based in Boston, USA, which helps private US high schools find recruit international students. The company says that, in the last six years, it has generated over $110 million in tuition fees for the high-schools it partnered with.
MacKeeper researchers also highlight that this isn't the first time when the details of US students get spilled out in the open. In the last year, US universities leaked details for more than a million students.
According to MacKeeper, the list includes the Indiana University (146,000 leaked records), Butler University (200,000), North Dakota University (300,000), the University of Maryland (300,000), and more.
UPDATE: CIIE issued a statement via DataBreaches.net in which it explained that the database exposed 600,000 records, many of which were duplicates, and that the number of affected students is less than 9,000.