Student Information Exposed in McGraw Hill Data Breach: Report

• Student data was exposed in publicly accessible cloud buckets from McGraw Hill, according to a vpnMentor report.
• Names, email addresses, and grades were left available to anyone with a web browser, according to the report.
• McGraw Hill discovered the files weren't properly secured as part of routine testing processes and removed them over the summer, a spokesperson told BestColleges.

More than 100,000 students' data was exposed in a McGraw Hill data breach, according to researchers at vpnMentor.

Private data — including names, email addresses, and grades — were left available to anyone with a web browser earlier this year due to two misconfigured Amazon Web Services cloud storage buckets, according to the vpnMentor report. Those storage buckets had more than 117 million files, totaling more than 22 terabytes of data.

The data breach included a wide range of files, including excel sheets with student names, email addresses and grades, files with teachers' syllabi, course material, and McGraw Hill's own source code.

We estimate that this exposure potentially affected 100,000s students, the report reads. In the limited sample we researched, we could see that the amount of records varied on each file from ten to tens of thousands students per file. Due to the amount of files exposed and because we only review a small sample following ethical rules, the actual total number of affected students could be far higher than our estimate.

McGraw Hill spokesperson Tyler Reed confirmed to BestColleges that the company secured the files over the summer.

McGraw Hill takes cybersecurity extremely seriously and has in place processes to identify potentially exposed data and quickly respond, Reed wrote in an email. This summer, as part of our routine testing processes, we became aware of files that were not properly secured, some of which included personal information. Following our internal incident response procedures, we removed the identified files. We are currently investigating this issue.

The vpnMentor report details a lengthy process of trying to get in contact with McGraw Hill over the data breach. The researchers first attempted to contact McGraw Hill on June 13, and followed up multiple times before eventually hearing back from the company's senior cybersecurity director in late September.

The cybersecurity director confirmed that the sensitive files were removed from the public storage buckets on July 20, according to the report.

We are unable to determine if any malicious hackers found the unsecured buckets before McGraw Hill deleted the sensitive files, the report reads.