McGraw Hill’s S3 buckets exposed 100,000 students’ grades and personal info

Jessica Lyons Hardcastle:

Misconfigured Amazon Web Services S3 buckets belonging to McGraw Hill exposed more than 100,000 students’ information as well as the education publishing giant’s own source code and digital keys, according to security researchers.

The research team at vpnMentor said they discovered the open S3 buckets on June 12, and contacted McGraw Hill a day later. One production bucket contained more than 47 million files and 12TB of data, and a second non-production bucket held more than 69 million files and 10TB of data, we’re told.

“In the limited sample we researched, we could see that the amount of records varied on each file from ten to tens of thousands students per file,” the researchers said. “Due to the amount of files exposed and because we only review a small sample following ethical rules, the actual total number of affected students could be far higher than our estimate.”

Overall, the buckets contained more than 22 TB of data and over 117 million files. It included students’ names, email addresses, performance reports and grades as well as teachers’ syllabi and course reading materials for US and Canadian students and schools such as Johns Hopkins University, University of California-Los Angeles, University of Toronto and University of Michigan.