Information leaked through student ID, experts explain the reason

Suddenly AI "exposed" personal information
Trying to type in her student code on Google, Minh Chau (22 years old, student in Hanoi) was startled to see almost all personal information appear on the search results returned by AI.
That is the story Chau told after trying to follow the trend that has been spreading on Threads in recent days.
Specifically, many users have posted content expressing confusion when just looking up the student code, personal information from full name, class, date of birth, academic results or even hometown and citizen identification card immediately appear.

One account posted: "Is it true that checking the student code revealed the information, everyone? I looked up all the information, even the subjects I studied and my grades were all there. I'm starting to feel afraid of AI."
The article quickly attracted hundreds of thousands of views. Below the post, many other students also tried to do the same and were surprised when personal information appeared from the AI results.
But in reality, the culprit behind it is not really from AI.
Talking to Dan Tri reporter, cybersecurity expert, Mr. Ngo Minh Hieu (Hieu PC), commented: "It should not be understood that AI "cracks" data on its own. In most cases, information has been published on school websites, PDF files, class lists, academic announcements, forums or social networks. AI and search engines only work to synthesize and display faster."
Over the years, some universities have often publicly disclosed student lists, scholarships, training scores or academic results. These contents can be indexed by Google and stored in search databases.
On the other hand, on document sharing platforms, to gain access or download some necessary documents, users need to upload documents as if for exchange.
Therefore, many students have blatantly submitted other students' reports, essays and even graduation theses without permission.
Many of the uploaded documents still retain the personal information of the author or the information of the members of the implementation team.
According to records, some people even submitted class lists, lists of students receiving scholarships, or administrative forms with many personal data fields.
"There's no need to be afraid of AI. AI can't do that if there aren't a few people who use posts containing other people's information to upload them to read documents," one user commented.

And then when AI tools are integrated into search systems, synthesizing and presenting information becomes faster.
From discrete pieces of data, AI can synthesize and concentrate into a relatively complete set of student information records.
According to expert Ngo Minh Hieu, student ID is a relatively stable identifier throughout the learning process.
When this code appears in various data sources, search engines can use it as a connection point to link disparate pieces of information.
From a student code, the system can track full name, class, field of study, school email or publicly available learning documents. Each individual piece of information, when put together, can create a rough profile of an individual.
Risks lurk students
According to Mr. Hieu, when having students' personal information in hand, bad guys can completely build phishing scenarios with much higher reliability than forms of mass message distribution.
For example, students may receive a fake email from the training department asking to verify their academic account, update personal information, or pay additional tuition.
Because the content of the letter contains a lot of accurate information about the recipient, the victim easily believes that this is an official announcement from the school.

In some cases, this data can also be used to guess passwords or perform other forms of social engineering attacks targeting both students and parents.
The expert said another concern also comes from the ability of AI tools to make data collection and synthesis easier.
"Previously, to find out information about a person, a bad actor may have to visit many websites, download many different documents and then compare them themselves. Nowadays, AI can help gather that data, summarize and present the data into a complete picture in a short time," Mr. Hieu assessed.

Faced with this reality, experts recommend that universities review their entire websites, online document repositories and publicly available PDF files.
Content containing personal data such as class lists, scores, exam schedules or academic information should be moved to the system requiring internal login instead of being made public.
Schools should also limit the simultaneous publication of full names and student identification numbers in documents that can be indexed by search engines, and proactively remove or block indexing of content that is no longer of use.
As for students, Mr. Hieu recommends proactively looking up their own information on Google to check what information is appearing publicly.
If users detect unnecessary data or pose a risk to privacy, users can submit a request to remove search results to Google HERE.
In addition, students should not use student ID numbers as passwords, account recovery information or security questions.
For document sharing platforms, if they encounter their documents or information being made public, students can access the reporting feature to request it be removed.