According to security researchers, misconfigured Amazon Web Services S3 buckets owned by McGraw Hill have exposed the information of more than 100,000 students as well as the education giant’s own source code and digital keys.
vpnMentor’s research team said it discovered the open S3 buckets on June 12 and contacted McGraw Hill a day later. One production bucket contained more than 47 million files and 12TB of data, and a second non-production bucket contained more than 69 million files and 10TB of data, we’re told.
“In the limited sample we researched, we could see that the number of records in each file varied between ten and ten thousand students per file,” the researchers said. “Due to the volume of files disclosed and because we only ethically review a small sample, the actual total number of students affected could be far higher than our estimate.”
In total, the buckets contained more than 22 TB of data and over 117 million files. It included student names, email addresses, performance reports, and grades, as well as curriculum and reading materials for US and Canadian students and schools such as Johns Hopkins University, University of California-Los Angeles, University of Toronto, and University of Michigan.
In addition, the data dump leaked private digital keys that may have allowed criminals to decrypt the publisher’s sensitive data and access its servers and McGraw Hill’s source code.
It is said that anyone with a web browser could have accessed the incorrectly configured S3 buckets as early as 2015.
And to confirm that the data belonged to real people, as opposed to a platform test, the researcher said they used publicly available information to verify a “small sample” of the records, and the students’ social media profiles with them matched the PII in McGraw Hill’s open bucket.
After vpnMentor confirmed the data belonged to the company’s online learning platform, vpnMentor claimed it contacted McGraw Hill nine times between June 13 and July 4, including other departments and the Chief Information Security Officer, but never one Answer received.
McGraw Hill didn’t answer The registry‘s requests for this story.
In addition, the network security shop said it contacted the US Computer Emergency Response Team (US-CERT) four times between June 27 and July 4 and never received a response from them either.
Finally, on September 21, McGraw Hill’s senior cybersecurity director told vpnMentor that the sensitive files had been removed from the public buckets on July 20, according to the report.
“We cannot determine whether malicious hackers found the unsecured buckets before McGraw Hill deleted the sensitive files,” the researchers wrote, adding that the disclosed data could have been used for phishing campaigns and identity theft, as well as doxing and harassment .
Also, we would suspect that the publisher’s source code and private keys would be attractive to ransomware gangs who have some affinity with educational organizations and schools, or even less sophisticated criminals looking to make a buck or two on the dark web.
“Additionally, under US federal law, student education records are official and confidential documents under the Family Educational Rights and Privacy Act (FERPA),” the researchers noted. “A student’s grades may not be published or published in a personally identifiable manner without the student’s prior written permission. As a result, by disclosing these records, McGraw Hill may be in direct violation of FERPA and could face enforcement action from appropriate U.S. government agencies.”
Not to mention names, but a certain US regulator (cough) Federal Trade Commission (cough) doesn’t take it too kindly when student data leaks out. ®
https://www.theregister.com/2022/12/20/mcgraw_hills_s3_buckets_exposed/ McGraw Hill’s S3 buckets revealed the grades of 100,000 students • The Register