Education company McGraw Hill exposes student data on unsecured cloud storage

SECURITY

Educational publishing company McGraw-Hill Education Inc. has exposed the details of hundreds of thousands of students in another case of a company failing to secure its Amazon Web Services Inc. storage.

Discovered by researchers at vpnMentor, McGraw Hill was found to have two AWS S3 buckets exposed to all and sundry. One production bucket was found to have more than 47 million files and 12 terabytes of data, while a second, nonproduction bucket contained more than 69 million files and 10 terabytes of data, bringing the total to in excess of 22 terabytes and 117 million files.

The data relates to McGraw Hill’s online education platform used by universities in the U.S. and Canada to host and facilitate online classes. As a consequence, students were potentially exposed to malicious actors and online attacks.

The data in the S3 buckets included Excel sheets with student names, email addresses and grades; files showing completed assignments, grades and performance reports; files showing syllabi from teachers; reading material for courses; private digital keys; and source code from McGraw Hill.

The digital keys opened the door for attackers to decode encrypted data from McGraw Hill and even access their servers. Although it’s estimated that hundreds of thousands of students had their information exposed, the researchers note that the number may be far higher, since they only used a limited sample of exposed data and individual files ranging from 10 to tens of thousands of students.

Students with their data exposed included those studying at universities including John Hopkins, California, Toronto, Michigan, McGill, Illinois and Washington.

Sadly, AWS data exposures are all too common but having failed to secure online data, better companies are quick to react when informed of their mistake. This, however, was not the case for McGraw Hill.

The vpnMentor researchers first became aware of the exposed S3 buckets on June 12 and despite six attempts to find someone in charge at McGraw Hill, it was only after filing the details with USA CERT and contacting AWS on July 7 that finally someone at McGraw Hill responded on July 9. But it didn’t stop there, since nothing was done.

Further contact was made with AWS on Aug. 16 and nothing changed. The researchers then managed to obtain the contact details for the company’s senior cybersecurity director on Sept. 8. Multiple follow-up requests were ignored until McGraw Hill’s senior cybersecurity director then claimed that the data was removed from the buckets on July 20.

Although there’s no evidence that the data was accessed by bad actors, the researchers note that if it had been accessed, it could have been used for identity theft, phishing campaigns, doxing and harassment and other nefarious activities.

Photo: Brecht Bug/Flickr