Dive Brief:
- Education publishing company McGraw Hill had a data breach that potentially exposed hundreds of thousands of students’ email addresses and grades, a recent report from vpnMentor said.
- The online privacy firm said its research team detected the data breach in mid-June and spent months attempting to contact the company about the issue. The researchers found troves of data “apparently belonging to McGraw Hill” that were available to anyone with a web browser, according to the report.
- McGraw Hill said it found out about the publicly available data during routine testing and isn't aware of any negative effects. The report said the data breach potentially exposed personal data from university students across North America, including those studying at Johns Hopkins University, University of California, Los Angeles, and the University of Michigan.
Dive Insight:
Higher education has increasingly been a target for cybercriminals. While cyberattacks on individual colleges often dominate headlines, their software providers and other vendors also suffer from attacks that could compromise student data.
In 2020, hackers stole data from Accellion, a global cloud services provider that had serious data security flaws. Several colleges were swept up in the attack, including Stanford University, University of Miami and Yeshiva University, Gizmodo reported. The publication confirmed that the leak site contained publicly visible data from some of the colleges, including addresses, phone numbers and Social Security numbers.
However, vpnMentor said that McGraw Hill’s data breach appears to have been caused not by a cyberattack, but by the company storing sensitive files on cloud storage buckets that were publicly accessible.
Tyler Reed, a McGraw Hill spokesperson, said in an email Monday that the company became aware of a publicly accessible bucket including personal information during a routine testing process over the summer. The company removed the identified files from the bucket.
“We are not aware of any further impact at this time,” Reed said. “We are currently undertaking an additional review to see how we could improve our processes in the future.”
The breach exposed more than 117 million files, violating student and employee privacy, the vpnMentor report alleged. Federal law bars colleges from releasing or posting a student’s grades without prior written permission from that student, meaning this data breach could draw government action, according to the report.
VpnMentor said it attempted to contact McGraw Hill for months, starting in mid-June, about the data breach.
But it wasn’t until Sept. 21 that the group drew a response from a top McGraw Hill official. That day, a senior cybersecurity director for the company told the firm that sensitive files had been removed from the public buckets in late July.
Reed said the company was contacted by vpnMentor and advised them that the files had been removed.
The vpnMentor research team wasn’t able to determine whether hackers found the public buckets before the files were removed, according to the report. However, the data exposure would have enabled hackers to carry out common forms of fraud against students. That includes stealing their identities and publishing private information about them online.
“Even if the exposed data wasn’t sufficient to exploit for criminal gains, it could also be used to carry out complex phishing campaigns,” the report said.
In a phishing campaign, cybercriminals send emails imitating businesses or organizations to people with the goal of tricking them into sharing personal information or clicking links with computer viruses.
“Due to the number of people exposed in this data breach, cybercriminals would only need to successfully scam a small fraction for any criminal scheme to be considered successful,” the report said. “Furthermore, once this information is out in the open, it may be used against the victim repeatedly for the rest of their life.”
A University of Michigan spokesperson said the college was aware of the report and had contacted the vendor for more information. Several other U.S. colleges named in the report did not provide a comment by Monday afternoon.
