190K CAT 2020 Test Takers’ PII and Results Leaked

###### Category Adversary Intelligence
###### Affected Industries Education
###### Affected Region SAARC, India

Executive Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising CAT (Common Aptitude Test) test takers’ PII (Personally Identifiable Information) and results for 2020. CAT is the principal entrance exam for MBA admissions in India. The CloudSEK Threat Intelligence Research team has validated the information in this post and has found that the compromised data is from the 2020 CAT examination.

Attribution

On 12 May 2021, a threat actor shared a post advertising a database containing 190K records of students who appeared for the 2020 CAT exam, including their PII and official scores. The actor, who joined the forum in Nov 2018, also posted the CAT 2019 database in September 2020 and has a high reputation on the forum. We have discovered similar posts on several other cybercrime forums as well.

Threat actor’s post on the underground forum

Analysis

Information from Source

In the post, the threat actor has shared the complete database along with the column names present in the dataset. The database contains 2020 CAT test talkers’ information, including: Name, Date of Birth, Email Address, Mobile number, Gender, Address, Aggregate Marks for SSC/HSC/Bachelor Degree details, and CAT percentile scores.

Sample data shared by the threat actor

Information from OSINT

Using public sources, CloudSEK Threat Intelligence Researchers have been able to confirm that the compromised data contains the PII and results of the students who appeared for the 2020 CAT examination.

Information from HUMINT

We have also been able to confirm through a reliable source that the threat actor exploited a vulnerability in the official CAT website to access the dataset. We are in the process of verifying the threat actor’s claims.

Impact

  • Since PII, including email addresses and phone numbers, have been exposed as a result of this breach threat actors can misuse the data to:
    • Carry out social engineering activities, phishing attacks, or even identity theft.
    • To view a candidate’s academic details along with their test scores without authorization.
  • The source of this leak is still undisclosed. Hence, if the technical vulnerability that caused the leak persists, such attacks could be repeated until it is patched.

Recommendations

  • Use strong passwords.
  • Enable multi-factor authentication for all online accounts.
  • Don’t share OTPs with third-parties.
  • Regularly update apps and other software.
1 Like