The education publishing company McGraw Hill on Monday confirmed a third-party report that it exposed the email addresses and grades of students at large universities across the United States and Canada after it failed to properly configure an Amazon Web Services tool.
According to the report, from vpnMentor, McGraw Hill left two S3 buckets — an AWS cloud-storage service — unsecured, making them visible to any internet browser. VpnMentor said it discovered the buckets in early June and concluded they were connected to McGraw Hill’s online learning platform.
The files exposed — including spreadsheets containing students names, email addresses and grades on recent assignments — were linked to several prestigious institutions, including Johns Hopkins University, the University of Michigan, the University of California, Los Angeles and Canada’s McGill University and University of Toronto. In total, more than 100,000 students worldwide were affected, according to vpnMentor.
Since its June 12 discovery of the leak, vpnMentor said, it attempted to contact the publisher several times, as well as report its finding to Amazon and the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT. VpnMentor finally received a reply from McGraw Hill on Sept. 19, by which point, the publisher told StateScoop, it had already detected and reconfigured the unsecured S3 buckets.
“This summer, as part of our routine testing processes, we became aware of an AWS S3 bucket that was publicly accessible and that included a few file types, some of which included personal information,” Tyler Reed, a McGraw Hill spokesperson, told EdScoop. “Following our internal incident response procedures, we removed the identified files from the public S3 bucket. We are not aware of any further impact at this time.”
Reed added that McGraw Hill “takes cybersecurity extremely seriously” and is undertaking additional reviews of its processes.