The education publishing giant, McGraw Hill, has accidently exposed the grades of over 100,000 students via a misconfigured S3 bucket database. According to researchers at vpnMentor, the data was publicly available and found on June 12. One production bucket contained more than 47 million files and 12TB of data, and a second non-production bucket held more than 69 million files and 10TB of data. The data included students’ names, email addresses, performance reports, and grades. The buckets also contained classroom data such as teachers’ syllabi and course reading materials for US and Canadian students in schools such as Johns Hopkins University, University of California-Los Angeles, University of Toronto, and University of Michigan. Additionally, the data included private keys, which could be decrypted and used by threat actors to access sensitive information about students and McGraw Hill’s source code. The data was able to be accessed by anyone via public Internet starting in 2015.
Researchers verified a small sample of the data and reached out to McGraw Hill, who did not initially respond. Finally, the company announced on September 21st that they had removed all sensitive data out of the public buckets. Due to the growing regulatory burden, it is highly recommended that organizations store sensitive customers data securely, and utilize third party cybersecurity services to verify the security of such data in order to avoid liability, regulatory fines, and increases in cyber insurance costs. With the use of third-party storage becoming more popular, companies can also assess the value of third-party data storage vendors in accordance with their budget and risk management framework.