vpnMentor researchers said they checked a “limited sample” to confirm the data breach was legit, and they saw the online records contained very sensitive information such as students’ names, email addresses, performance reports and grades. The two buckets also contained teachers’ syllabi and course reading materials, and even some very sensitive stuff belonging to McGraw Hill itself including private digital keys and source code. All things considered, vpnMentor estimates that the two unprotected S3 buckets – one with 12TB of data, another one with 10TB – were leaking information about more than 100.000 students of US and Canadian schools and universities. As the estimation is based on the limited sample analyzed by the researchers, the true scale of the data breach could be much, much larger.
Perhaps the worst part of the incident is how McGraw Hill and security officials reacted to vpnMentor communication attempts. The first response from McGraw Hill arrived on July 9, 2022, almost a month after the first message, but it took another 10 days to get some results. According to McGraw Hill’s senior cybersecurity director, sensitive files were removed from the public buckets on July 20, 2022, almost two months after the incident was discovered. vpnMentor was informed of this on September 21. vpnMentor analysts also said they were unable to determine if any malicious actor found the unsecured buckets before McGraw Hill deleted the sensitive files. Considering the files could have been accessed as far back as 2015, and that open S3 buckets are a very well-known security issue within the industry, there’s very little doubt about a potential weaponization of the compromised data against students, teachers, education institutions and McGraw Hill itself.