vpnMentor’s research team has discovered a data breach related to McGraw Hill, an education publishing company based in the USA.
McGraw Hill is one of the big three American education content publishing companies. According to their website, they’ve been in the publishing industry since McGraw Publishing Company and Hill Publishing Company merged in 1917.
The team has discovered two misconfigured Amazon Web Services (AWS) S3 buckets apparently belonging to McGraw Hill; one production bucket with more than 47 million files and 12TB+ of data, as well as one non-production bucket with more than 69 million files and 10TB+ of data. In total, the buckets contained more than 22 TB of data and over 117 million files.
The team originally discovered two unsecured Amazon Web Services (AWS) S3 buckets containing over 22TB of files and data. Upon investigating, the research team determined that the data belonged to McGraw Hill’s online learning platform, connected to the AWS account.
This breach from McGraw Hill was significant in both the amount of data exposed, as well as the number of people and organizations it could affect. If malicious or criminal actors discovered the exposed data, it could bring harm to students, teachers, universities, and McGraw Hill itself.
Types of files the research team saw in the breach include:
- Excel sheets listing student names, email addresses, and grades;
- Files showing students’ completed assignments, grades, and performance reports;
- Files showing syllabi from teachers;
- Reading material for certain courses;
- Private digital keys from McGraw Hill;
- Source code from McGraw Hill.
This breach exposed students from universities across the US, Canada, and elsewhere, including:
- Johns Hopkins University
- University of California, Los Angeles
- University of Toronto (Canada)
- University of Michigan
- McGill University
- University of Illinois
- Washington University in St Louis
The following screenshots are samples of the types of data exposed.
If you think you’ve interacted with McGraw Hill recently and are concerned about how this breach might impact you, contact the company directly to find out what steps it’s taking to protect your data.
