Data of over 100,000 students exposed in a massive data breach

data breach
data breach

Advertisement

Student data of McGraw Hill, an education publishing company based in the USA, mistakenly exposed records of over 100,000s students online. The data could be accessed by anyone with a web browser. This breach exposed students from several universities across the US and Canada.

A team of researchers at vpnMentor discover two misconfigured Amazon Web Services (AWS) S3 buckets that belonged to McGraw Hill. One was the production bucket with more than 47 million files and 12TB+ of data. The non-production bucket contained more than 69 million files and 10TB+ of data.

The breach contained several files including syllabi from teachers, reading material, source code, Excel sheets listing student data, Files showing students’ completed assignments, and performance reports. Leaked digital keys were also there that could be used to decode encryption on data from McGraw Hill.

vpnMentor also shared several screenshots to confirm what kinds of records were exposed. Researchers looked for several students on social media platforms and find several matches on the records in McGraw Hill’s open buckets.

vpnMentor researchers discovered AWS buckets on June 12 2022 and tried to contact McGraw Hill multiple times. After they didn’t get any response after multiple follow-ups, they contacted USA CERT on June 27, 2022, and Amazon AWS on July 7, 2022. On September 8, 2022, they contacted McGraw Hill through their website’s live chat and asked for the contact details of the senior cybersecurity director to report the issue. On September 21, McGraw Hill’s senior cybersecurity director confirmed that sensitive files had already been removed from the AWS bucket on July 20.

If a threat actor gets the data, he could use it to launch phishing campaigns, Doxing and harassment, Identity theft, and more against students. Leaked digital keys and source codes can also harm McGraw Hill.

Companies that are using AWS S3 buckets should keep them private and add authentication protocols. They should also add more layers of protection to restrict who can access it.