Educational publishing company McGraw-Hill Education Inc. has exposed the details of hundreds of thousands of students in another case of a company failing to secure its Amazon Web Services Inc. storage.

Discovered by researchers at vpnMentor, McGraw Hill was found to have two AWS S3 buckets exposed to all and sundry. One production bucket was found to have over 47 million files and over 12TB of data, while a second, non-production bucket contained over 69 million files and 10TB of data, bringing the total to over 22TB and 117 million files.

The data relates to McGraw Hill’s online education platform used by universities in the U.S. and Canada to host and facilitate online classes. As a consequence, students were potentially exposed to malicious actors and online attacks.

The data in the S3 buckets included Excel sheets with student names, email addresses and grades; files showing completed assignments, grades and performance reports; files showing syllabi from teachers; reading material for courses; private digital keys and source code from McGraw Hill.

The digital keys opened the door for attackers to decode encrypted data from McGraw Hill and even access their servers. While it’s estimated that hundreds of thousands of students had their information exposed, the researchers note that the number may be far higher as they only used a limited sample of exposed data and individual files ranging from ten students to tens of thousands.

Students with their data exposed included those studying at universities including John Hopkins, California, Toronto, Michigan, McGill, Illinois and Washington.

Sadly, AWS data exposures are all too common but having failed to secure online data, better companies are quick to react when informed of their mistake. This, however, was not the case for McGraw Hill.

The vpnMentor researchers first became aware of the exposed S3 buckets on June 12 and despite six attempts to find someone in charge at McGraw Hill, it was only after filing the details with USA CERT and contacting AWS on July 7 that finally someone at McGraw Hill responded on July 9 – but it didn’t stop there as nothing was done.

Further contact was made with AWS on Aug. 16 and nothing changed. The researchers then managed to obtain the contact details for the company’s senior cybersecurity director on Sept. 8. Multiple follow-up requests were ignored until McGraw Hill’s senior cybersecurity director then claimed that the data was removed from the buckets on July 20.

While there is no evidence that the data was accessed by bad actors, the researchers note that if it had been accessed, it could have been used for identity theft, phishing campaigns, doxing and harassment and other nefarious activities.

Photo: Brecht Bug/Flickr

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.


Source link

Load More By Michael Smith
Load More In Technology
Comments are closed.

Check Also

Autocar magazine 1 February: on sale now

[ad_1] This week in Autocar, we put Porsche’s new 911 ‘SUV’ through its paces, break the s…