Security News > 2022 > December > McGraw Hill's S3 buckets exposed 100,000 students' grades and personal info

Misconfigured Amazon Web Services S3 buckets belonging to McGraw Hill exposed more than 100,000 students' information as well as the education publishing giant's own source code and digital keys, according to security researchers.

The research team at vpnMentor said they discovered the open S3 buckets on June 12, and contacted McGraw Hill a day later.

To confirm the data belonged to actual people, as opposed to a platform test, the researcher said they used publicly available information to verify a "Small sample" of the records, and matched students' social media profiles to the PII in McGraw Hill's open buckets.

Finally, on September 21, McGraw Hill's senior cybersecurity director told vpnMentor that the sensitive files had been removed from the public buckets on July 20, according to the report.

"We are unable to determine if any malicious hackers found the unsecured buckets before McGraw Hill deleted the sensitive files," the researchers wrote, adding that the exposed data could have been used for phishing campaigns and identity theft as well as doxxing and harassment.

"A student's grades may not be released or posted in any personally identifiable way without prior written permission from the student. As a result, by exposing these records, McGraw Hill may be in direct violation of FERPA, and could face enforcement actions from the relevant US government bodies."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/20/mcgraw_hills_s3_buckets_exposed/