How Resilient Are the World's Leading Online Learning Providers?

Last week, leading online education provider Lynda.com announced that its database of over 9.5 million accounts were compromised in a recent data breach. With the education space increasingly moving to the internet, are underlying technology providers doing their best to provide a safe learning environment to customers?  

No stranger to security incidents, Lynda.com's parent company LinkedIn also announced earlier this year that it discovered 117 million of its user's passwords for sale on the black market. The company was quick to note that the discovery was not due to a new security incident, but rather part of a previously announced 2012 data breach; notwithstanding, only 6.5 million passwords were thought to be compromised initially. In Lynda.com's case, 9.5 million accounts containing customer's names, email addresses, and courses viewed were accessed, along with 55,000 account passwords.

Free DevOps and Security eBooks

According to market research firm Technavio, the global corporate elearning market is expected to hit $31 billion in revenue by the end of 2020. This massive opportunity has led to the rise of tech startups focused on online education, but also poses new security challenges for companies in the business of online course delivery. 

Online Learning Provider Roundup

Lynda.com is just one of many leading online education providers responsible for storing sensitive customer data—leading competitors include Coursera, Udacity, Study.com, and Udemy, among others. Let's see how these companies and other leading competitors fare when it comes to security and cyber resilience. 

1. Coursera - 665 out of 950

CSTAR - Coursera

Mountain View-based Coursera is a leading provider of massive open online courses (MOOCs) and works with leading universities to provide remote course delivery to student worldwide. The company's website perimeter security suffers from flaws such as server information leakage, lack of secure cookies, and missing DMARC/DNSSEC, among others. Also, head's up Coursera: your SSL certificate expires in 30 days.

2. Udacity - 773 out of 950  

CSTAR - Udacity

Udacity is a MOOC provider that started off as an offshoot series of free computer science classes offered by Stanford University. The company recently surpassed 35 million enrollments—fortunately, only a few security gaps tarnish its otherwise good security posture: lack of HTTP strict transport security, lack of DMARC/DNSSEC, among others.

3. Iversity - 665 out of 950 

CSTAR - Iversity

Germany-based MOOC provider Iversity offers academic-level online courses to global learners, featuring courses ranging from engineering and philosophy to design to biology. Despite its relative success, the company was rescued from the brink of bankruptcy last year—the company has since refocused on digital degree programs and new content focused on professional development.

Various flaws in Iversity.org's website perimeter security make it vulnerable to cyber attacks, including server information leakage, lack of SPF, and disabled DMARC/DNSSEC, among others.

4. Udemy - 731 out of 950

CSTAR - Udemy

Leading MOOC provider Udemy offers over 42,000 courses for personal training and professional development, most of which are user-created—the platform allows anyone to build free or paid-for online courses. A handful of security shortcomings keep it from achieving an optimal resilience posture: an SSL certificate expiring in 30 days, lack of HttpOnly/secure cookies and missing DNSSEC.

5. Study.com - 377 out of 950

CSTAR - study.com

Like Coursera and Iversity, Study.com partners with colleges and universities to offer remote, for-credit courses to geographically dispersed students. Unlike its counterparts, the company's website lacks sitewide SSL—along with similar flaws like server information leakage, lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, and more.

6. Khan Academy - 731 out of 950

Screen Shot 2016-12-31 at 11.25.26 AM.png

Khan Academy's free online learning platform is being used by millions of students from all over the world every day. Its relatively good security posture is hampered by a handful of security flaws including lack of HTTP strict transport security, disabled HttpOnly/secure cookies, missing DNSSEC, and more.

7. edX - 825 out of 950

CSTAR - edX

A joint project of MIT and Harvard, edX currently has over 5 million users as of March 2016. The platform is renowned for its many partnerships with the world's most prestigious universities and leading research institutions. Despite a good security posture, lack of HTTP strict transport security and missing DMARC/DNSSEC could potentially lead to a compromise.

8. Codeacademy - 760 out of 950

Screen Shot 2016-12-31 at 11.16.29 AM.png

Codeacademy boasts over 25 million users as of January 2016; as its name implies, the leading online learning platform focuses on providing coding classes (e.g., JavaScript and Ruby programming) to global learners. A handful of security gaps hinder it from achieving an optimal resilience posture, including lack of HttpOnly cookies, missing SPF and DMARC, and disabled DNSSEC.

9. Lynda.com - 679 out of 950

Screen Shot 2016-12-31 at 11.11.24 AM.png

Lynda.com has been making data breach headlines as of late—acquired by LinkedIn back in 2015, the company recently announced the theft of its user data, much to the dismay of its 9.5 million users. Despite its recent security event, the company's website still suffers from security flaws such as server information leakage, lack of HttpOnly/secure cookies, and missing DNSSEC. Additionally, a low 64% CEO rating make the company more prone to insider threats.

Conclusion

In general, leading online education providers have average to good resilience postures, though all suffer from common flaws such as missing DMARC/DNSSEC and server information leakage. Study.com takes a big hit for lack of sitewide SSL, while Lynda.com's low CEO approval rating make it prone to attackers on the inside. Wondering if your nanodegree pursuit is putting your personal data in jeopardy? Try out UpGuard's free CSTAR risk grader web application and chrome extension for validating the security posture of your online education provider today.

Get a Guided UpGuard Demo

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: security, CSTAR, cyber risk