Updated on April 30, 2018 by UpGuard
Last week, leading online education provider Lynda.com announced that its database of over 9.5 million accounts were compromised in a recent data breach. With the education space increasingly moving to the internet, are underlying technology providers doing their best to provide a safe learning environment to customers?
No stranger to security incidents, Lynda.com's parent company LinkedIn also announced earlier this year that it discovered 117 million of its user's passwords for sale on the black market. The company was quick to note that the discovery was not due to a new security incident, but rather part of a previously announced 2012 data breach; notwithstanding, only 6.5 million passwords were thought to be compromised initially. In Lynda.com's case, 9.5 million accounts containing customer's names, email addresses, and courses viewed were accessed, along with 55,000 account passwords.
According to market research firm Technavio, the global corporate elearning market is expected to hit $31 billion in revenue by the end of 2020. This massive opportunity has led to the rise of tech startups focused on online education, but also poses new security challenges for companies in the business of online course delivery.
Online Learning Provider Roundup
Lynda.com is just one of many leading online education providers responsible for storing sensitive customer data—leading competitors include Coursera, Udacity, Study.com, and Udemy, among others. Let's see how these companies and other leading competitors fare when it comes to security and cyber resilience.
Mountain View-based Coursera is a leading provider of massive open online courses (MOOCs) and works with leading universities to provide remote course delivery to student worldwide. The company's website perimeter security suffers from flaws such as server information leakage, lack of secure cookies, and missing DMARC/DNSSEC, among others. Also, head's up Coursera: your SSL certificate expires in 30 days.
Udacity is a MOOC provider that started off as an offshoot series of free computer science classes offered by Stanford University. The company recently surpassed 35 million enrollments—fortunately, only a few security gaps tarnish its otherwise good security posture: lack of HTTP strict transport security, lack of DMARC/DNSSEC, among others.
Germany-based MOOC provider Iversity offers academic-level online courses to global learners, featuring courses ranging from engineering and philosophy to design to biology. Despite its relative success, the company was rescued from the brink of bankruptcy last year—the company has since refocused on digital degree programs and new content focused on professional development.
Various flaws in Iversity.org's website perimeter security make it vulnerable to cyber attacks, including server information leakage, lack of SPF, and disabled DMARC/DNSSEC, among others.
Leading MOOC provider Udemy offers over 42,000 courses for personal training and professional development, most of which are user-created—the platform allows anyone to build free or paid-for online courses. A handful of security shortcomings keep it from achieving an optimal resilience posture: an SSL certificate expiring in 30 days, lack of HttpOnly/secure cookies and missing DNSSEC.
Like Coursera and Iversity, Study.com partners with colleges and universities to offer remote, for-credit courses to geographically dispersed students. Unlike its counterparts, the company's website lacks sitewide SSL—along with similar flaws like server information leakage, lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, and more.
Khan Academy's free online learning platform is being used by millions of students from all over the world every day. Its relatively good security posture is hampered by a handful of security flaws including lack of HTTP strict transport security, disabled HttpOnly/secure cookies, missing DNSSEC, and more.
A joint project of MIT and Harvard, edX currently has over 5 million users as of March 2016. The platform is renowned for its many partnerships with the world's most prestigious universities and leading research institutions. Despite a good security posture, lack of HTTP strict transport security and missing DMARC/DNSSEC could potentially lead to a compromise.
Lynda.com has been making data breach headlines as of late—acquired by LinkedIn back in 2015, the company recently announced the theft of its user data, much to the dismay of its 9.5 million users. Despite its recent security event, the company's website still suffers from security flaws such as server information leakage, lack of HttpOnly/secure cookies, and missing DNSSEC. Additionally, a low 64% CEO rating make the company more prone to insider threats.
In general, leading online education providers have average to good resilience postures, though all suffer from common flaws such as missing DMARC/DNSSEC and server information leakage. Study.com takes a big hit for lack of sitewide SSL, while Lynda.com's low CEO approval rating make it prone to attackers on the inside. Wondering if your nanodegree pursuit is putting your personal data in jeopardy? Try out UpGuard's free CSTAR risk grader web application and chrome extension for validating the security posture of your online education provider today.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.