The incident took place when two misconfigured AWS S3 buckets belonging to McGraw Hill, one of the “big three” educational publishers in the US, were left exposed without any security authentication.
The cyber security researchers at vpnMentor discovered a couple of misconfigured Amazon Web Services (AWS) S3 buckets containing a massive trove of data belonging to a USA-based education publishing firm, McGraw Hill.
The platform is among the top three educational content publishers in the United States, and it is also widely used by educational institutions across Canada for facilitating online classes. It builds educational software for students who can access lectures and upload homework on its portal.
Findings Details
Researchers discovered two misconfigured Amazon Web Services S3 buckets, the owner of which was identified to be McGraw Hill. The researchers discovered one non-production bucket containing over 69 million documents and 10TB+ of data and one production bucket containing 12TB+ of data.
In total, 22TB of data was exposed, and the buckets contained 117 million files. The buckets were discovered on 12 June 2022. vpnMentor’s researchers contacted McGraw Hill first on 13 June, 2022 then again on 15 June and 20 June 2022.
They contacted them the fourth time on 27 June 2022 and finally reached USA CERT several times between 27 June and 4 July 2022. In total, vpnMentor tried to contact McGraw Hill nine times. On 7 July 2022, vpnMentor contacted Amazon Web Service, and finally, they received a response on 9 July 2022.
What Data Got Exposed?
According to vpnMentor’s blog post, around 100,000 students could be exposed to numerous online attacks due to this data breach. Their private data, such as personal details and grades, could be at risk, and anyone could access it using a web browser.
Further, the exposed data included excel sheets containing student data such as email IDs, names, and grades, documents featuring students’ assignments, performance reports, and grades, and documents containing syllabi for the teachers.
Moreover, the data included reading material for different courses, source code for McGraw Hill, and private digital keys from McGraw Hill. The leaking of source code is dangerous as it can help threat actors to search for other flaws.
Reportedly, the breach or incident impacted students from the following universities:
- McGill University
- University of Illinois
- University of Toronto
- University of Michigan
- Johns Hopkins University
- Washington University in St Louis
- University of California, Los Angeles
What Caused the Exposure?
Researchers noted that McGraw Hill was using AWS S3 buckets for storing data from their online education service since the exposed data belonged to the company’s online learning portal that was connected to the AWS account.
Researchers were certain that Amazon wasn’t responsible for the misconfigured database. After several failed attempts to bring the issue to the company’s notice, vpnMentor could contact them, and the sensitive files were removed from public exposure on 20 July.
The data exposure might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not.
Nevertheless, at the time of publishing this article, both exposed servers had been secured, thanks to vpnMentor’s non-stop alerts to concerned authorities.