Edtech giant McGraw Hill faces breach impacting 13.5 million

McGraw Hill recently confirmed the company faced an extortion attempt that resulted in a data breach.

What happened

According to BleepingComputer, 13.5 million individuals have had their data leaked from McGraw Hill. The company, which is known globally as a leader in educational publishing, said the breach took place after an extortion group, believed to be ShinyHunters, breached the company’s Salesforce environment by exploiting a misconfiguration.

McGraw Hill has not yet shared how many individuals may have been impacted, but according to the breach notification service Have I Been Pwned, the threat actor has leaked over 100GB of files linked to approximately 13.5 million accounts.

Going deeper

McGraw Hill released a statement to BleepingComputer after ShinyHunters added the company’s information to their dark web leak site, claiming to have 45 million Salesforce records, including personally identifiable information. McGraw Hill said unauthorized access impacted “a limited set of data from a webpage hosted by Salesforce on its platform.” The company added that the incident seems to be part “of a broader issue involving a misconfiguration with Salesforce's environment.”

The exposed information included names, physical addresses, phone numbers, and email addresses.

What was said

McGraw Hill said the incident was part of a larger issue with Salesforce, adding that they will be working with salesforce to “further strengthen protections and ensure this issue is fully addressed.”

In a statement to The Record, a Salesforce spokesperson said that there is “no indication that the Salesforce platform has been compromised,” adding that the event is “not related to any known vulnerability in our technology.” Ultimately, it seems unclear to the public where the breach originated or which organization’s security measures were insufficient. As the investigation continues, more information will likely come to light, impacting which organization may face consequences via class action lawsuits or government penalties.

In the know

ShinyHunters threatened to leak the information unless a ransom was paid by April 14th, but most organizations refuse to pay a ransom because it risks an uncertain outcome. At this time, it’s believed that 100GB of information has been publicly distributed on the dark web.

ShinyHunters has become an increasingly prominent threat group. In April, the group also began leaking data following a successful attack against Rockstar Games, an American video game publisher. ShinyHunters was also behind the recent Hims & Hers breach Paubox reported on. The group has been active since 2020, but does not seem to have clear ties to any one nation. It’s believed that some members of the group may also be in other threat groups, like Scattered Spider. ShinyHunters focuses on targeting cloud applications and website networks. According to The Conversation, they’ve targeted Salesforce in the past.

The big picture

Similar to healthcare data, educational data can also be highly valuable on the dark web, because educational companies like McGraw Hill often collect a trove of personal information. Ransomware groups have become increasingly sophisticated in their attack methods, making breaches harder to catch and harder to prevent. Since 2018, it’s estimated that ransomware attacks have increased 264%. Attacks can occur through a variety of vectors, requiring organizations to focus on network security, email security, employee training, and more.

FAQs

Did McGraw Hill pay any ransom?

No, McGraw Hill did not pay any ransom to ShinyHunters. The malicious group has released data publicly, but it’s possible that the data would have been released regardless of if McGraw Hill had paid.

Who is to blame for the incident?

Both McGraw Hill and Salesforce say that their systems were secure. ShinyHunters has been known to target Salesforce, but without knowing what was uncovered during the investigation, like why McGraw Hill believes the incident occurred at Salesforce, it’s hard to know. Ultimately, organizations are only as secure as their weakest vendor and each organization has an obligation to protect their customers' data.