McGraw Hill's S3 buckets exposed 100,000 students' grades and personal info
Educator gets an F for security
Misconfigured Amazon Web Services S3 buckets belonging to McGraw Hill exposed more than 100,000 students' information as well as the education publishing giant's own source code and digital keys, according to security researchers.
The research team at vpnMentor said they discovered the open S3 buckets on June 12, and contacted McGraw Hill a day later. One production bucket contained more than 47 million files and 12TB of data, and a second non-production bucket held more than 69 million files and 10TB of data, we're told.
"In the limited sample we researched, we could see that the amount of records varied on each file from ten to tens of thousands students per file," the researchers said. "Due to the amount of files exposed and because we only review a small sample following ethical rules, the actual total number of affected students could be far higher than our estimate."
Overall, the buckets contained more than 22 TB of data and over 117 million files. It included students' names, email addresses, performance reports and grades as well as teachers' syllabi and course reading materials for US and Canadian students and schools such as Johns Hopkins University, University of California-Los Angeles, University of Toronto and University of Michigan.
Additionally, the data dump leaked private digital keys, which could have allowed miscreants to decrypt the publisher's sensitive data and access its servers, plus McGraw Hill's source code.
The misconfigured S3 buckets could have been accessed by anyone with a web browser as far back as 2015, we're told.
And to confirm the data belonged to actual people, as opposed to a platform test, the researcher said they used publicly available information to verify a "small sample" of the records, and matched students' social media profiles to the PII in McGraw Hill's open buckets.
After confirming that the data belonged to the company's online learning platform, vpnMentor claims it contacted McGraw Hill nine times between June 13 and July 4, including reaching out to additional departments and the chief information security officer, but never received a reply.
McGraw Hill did not respond to The Register's inquiries for this story.
Additionally, the network security shop said it reached out to the United States Computer Emergency Response Team (US-CERT) four times between June 27 and July 4 and never heard back from anyone there, either.
Finally, on September 21, McGraw Hill's senior cybersecurity director told vpnMentor that the sensitive files had been removed from the public buckets on July 20, according to the report.
- Education tech giant gets an F for security after sensitive info on 40 million users stolen
- US school year opens with reading, writing, and ransomware
- LockBit threatens to leak confidential info stolen from California's beancounters
- FBI warns about Cuba, no, not that one — the ransomware gang
"We are unable to determine if any malicious hackers found the unsecured buckets before McGraw Hill deleted the sensitive files," the researchers wrote, adding that the exposed data could have been used for phishing campaigns and identity theft as well as doxxing and harassment.
Plus, we'd guess that the publishing firm's source code and private keys would be appealing to ransomware gangs, who have a certain affinity for education-sector organizations and schools, or even less sophisticated criminals looking to make a buck or two on the darkweb.
"Furthermore, under US Federal law, student education records are official and confidential documents, by virtue of the Family Educational Rights and Privacy Act (FERPA)," the researchers noted. "A student's grades may not be released or posted in any personally identifiable way without prior written permission from the student. As a result, by exposing these records, McGraw Hill may be in direct violation of FERPA, and could face enforcement actions from the relevant US government bodies."
Not to name names, but a certain US watchdog agency (cough) Federal Trade Commission (cough) doesn't take too kindly to leaks involving students' data. ®