Facepalm: McGraw Hill is one of America's "big three" educational publishers, with a growing technology business that sells services to host and facilitate online classes. As vpnMentor discovered, however, McGraw Hill didn't receive a passing grade in security and decent opsec practices.
Researchers at vpnMentor found two Amazon Web Services (AWS) S3 buckets full of personal and sensitive data, later confirming that those were files belonging to McGraw Hill's online educational platform. The buckets contained more that 22 terabytes of data, with over 117 million files that were publicly available to anyone knowing where to search.
vpnMentor researchers said they checked a "limited sample" to confirm the data breach was legit, and they saw the online records contained very sensitive information such as students' names, email addresses, performance reports and grades. The two buckets also contained teachers' syllabi and course reading materials, and even some very sensitive stuff belonging to McGraw Hill itself including private digital keys and source code.
All things considered, vpnMentor estimates that the two unprotected S3 buckets – one with 12TB of data, another one with 10TB – were leaking information about more than 100.000 students of US and Canadian schools and universities. As the estimation is based on the limited sample analyzed by the researchers, the true scale of the data breach could be much, much larger.
Perhaps the worst part of the incident is how McGraw Hill and security officials reacted to vpnMentor communication attempts.
The researchers discovered the publicly accessible S3 buckets on June 12, 2022, and they tried to contact the company the day after. There were further contact attempts in the following weeks, and researchers also tried to reachUS-CERT officials and Amazon.
The first response from McGraw Hill arrived on July 9, 2022, almost a month after the first message, but it took another 10 days to get some results.
According to McGraw Hill's senior cybersecurity director, sensitive files were removed from the public buckets on July 20, 2022, almost two months after the incident was discovered. vpnMentor was informed of this on September 21.
vpnMentor analysts also said they were unable to determine if any malicious actor found the unsecured buckets before McGraw Hill deleted the sensitive files. Considering the files could have been accessed as far back as 2015, and that open S3 buckets are a very well-known security issue within the industry, there's very little doubt about a potential weaponization of the compromised data against students, teachers, education institutions and McGraw Hill itself.