Education Giant McGraw Hill Exposed Over 100,000 Students' Personal Information To Misconfigured AWS S3 Buckets...

Continue reading
It's every student's worst nightmare - having their personal information, grades, and other sensitive data exposed for anyone to see. Unfortunately, this became a reality for over 100,000 students whose information was left open to the public due to misconfigured Amazon Web Services S3 buckets belonging to education publishing giant, McGraw Hill.
According to security researchers at vpnMentor, the open buckets were discovered on June 12 and contained over 117 million files and 22 TB of data.
In addition to student information, the buckets also contained private digital keys and the company's own source code. This means that not only were the students' data at risk, but so was the company's sensitive information and servers. The misconfigured S3 buckets could have been accessed by anyone with a web browser as far back as 2015.
What's even more concerning is that vpnMentor claims to have contacted McGraw Hill multiple times between June 13 and July 4 to alert them of the issue, but never received a reply. The network security firm also reached out to the United States Computer Emergency Response Team (US-CERT) four times between June 27 and July 4, but received no response from them either. It wasn't until September 21 that McGraw Hill's senior cybersecurity director informed vpnMentor that the sensitive files had been removed from the public buckets on July 20.
This means that the exposed data could have been accessed by anyone for over three months before it was finally secured. The researchers warned that this data could have been used for phishing campaigns, identity theft, doxxing, and harassment. The company's source code and private keys could also have been appealing to ransomware gangs, who have a history of targeting education-sector organizations and schools.
In addition to the potential damage to students and the company, the leak may also have violated the Family Educational Rights and Privacy Act (FERPA) in the US, which requires student education records to be kept confidential. This could result in enforcement actions from relevant government bodies.
Protecting student and company data should be a top priority for any organization. It's crucial that proper security measures are in place and regularly checked to ensure sensitive information is not left exposed to the public. It's also important for companies to have a plan in place for responding to and addressing data breaches in a timely manner. In this case, McGraw Hill's delay in addressing the issue could have had serious consequences.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been