Major U.S. education publisher McGraw Hill had information from more than 100,000 students, as well as its digital keys and source code exposed as a result of misconfigurations in its Amazon Web Services S3 buckets
, which could have been accessed since 2015, The Register
More than 117 million files and over 22 TB of data have been leaked by the misconfigured buckets, including student data and teaching materials in U.S. and Canadian educational institutions, such as University of California-Los Angeles, University of Michigan, Johns Hopkins University, and University of Toronto, a vpnMentor report showed.
"In the limited sample we researched, we could see that the amount of records varied on each file from ten to tens of thousands students per file. Due to the amount of files exposed and because we only review a small sample following ethical rules, the actual total number of affected students could be far higher than our estimate," said researchers.
While McGraw Hill has been notified by vpnMentor nine times from June 13 to July 4, the education publisher only noted the removal of sensitive data from public buckets, which it did on July 20, on Sept. 21.