-
A misconfigured Salesforce website allowed a group ‘ShinyHunters’ to hack into McGraw-Hill data and demand a ransom.
-
McGraw-Hill has acknowledged the hack but stated that it did not impact Social Security Numbers, financial data, or student records.
-
ShinyHunters has hit many major companies this year, including Rockstar Games and the European Commission, raising concerns about data extortion.
According to education leader McGraw-Hill, hackers have accessed certain parts of the company’s internal documents. The breach was due to a misconfiguration of a web page that they use on Salesforce.
The news comes after a notorious hacker organization, ShinyHunters, listed McGraw-Hill’s name on one of their black web pages. ShinyHunters has publicly advertised that they possess the stolen documents and will post them online unless the company pays a ransom. The hacking group claims to hold 45 million individual records of information from Salesforce users, with personal data like names, addresses, and email addresses.
McGraw-Hill disagrees with these figures made by ShinyHunters. In a statement, McGraw Hill mentioned that while there was some compromised data due to the breach, the number of exposed records was vastly lower than what ShinyHunters claims, and none of the exposed data contained sensitive information – such as Social Security numbers or bank info.
What McGraw-Hill Says About the Breach
A spokesman for McGraw-Hill stated that the breach only involved a small portion of information the company stored in a webpage hosted on Salesforce and did not involve any of its primary accounts, customer account information, proprietary technology (courseware) or McGraw-Hill’s internal business systems.
Additionally, none of the exposed data, which is very limited, contained any social security numbers or financial institution accounts, nor was there any information about students who use McGraw-Hill’s educational products. The Company generates approximately $2.2 billion in revenue yearly and provides textbooks and digital learning products to schools and universities in the US and around the globe.
Immediately upon discovering the unauthorized access or misuse of these webpages, McGraw-Hill Company secured the websites in question and has retained outside forensic computing firms to assist in determining the extent of any unauthorized activity. In addition, McGraw-Hill is collaborating closely with Salesforce on how to improve their website security and ensuring the websites and any information that it provides remain secure.
Who is Behind the ShinyHunters Threat?
ShinyHunters are one of the busiest data extortion groups around today and have already announced multiple high-profile breaches since the start of this year. Some of their victims include Rockstar Games, Hims & Hers, the European Commission, Telus Digital, Wynn Resorts, Canada Goose, Match Group and Panera Bread, in addition to CarGurus.
In the month of March, ShinyHunters breached Infinite Campus, an American company that provides student information systems to K-12 schools across the United States, causing many to question whether student data is safe in this country.
The infrastructure that enables ShinyHunters to operate has come under fire, the FBI recently took down prominent dark web platforms connected to a Salesforce user database heist, demonstrating that law enforcement is actively targeting the marketplaces and forums where groups like ShinyHunters sell stolen data and extort victims.
Security experts have commented that when ShinyHunters steal data, they often exaggerate the size and sensitivity in order to encourage the companies they’ve targeted to pay them a ransom. The group operates a dark web leak site where it names victims and sets deadlines for payment.
Why This Breach Matters for Students and Teachers
McGraw-Hill’s platforms reach millions of students and teachers across the United States. Several students and educators from many different parts of the country utilize McGraw-Hill’s products (or services) on a daily basis, including digital textbooks, online homework systems, and other methods of learning (as well as technology-based solutions).
As such, parents and teachers should feel relief that McGraw-Hill has indicated that the data breach did not compromise any student information on the McGraw-Hill platform. However, the variation of this issue regarding data protection raises some very serious concerns about how third-party business entities have been or continue to be in protecting the private data of clients.
For example, Salesforce is one of the largest customer relationship management systems available, and has thousands (if not millions) of customers. This type of incident reinforces that even a tiny error on one particular web page may expose a firm and open a doorway for unauthorized individuals to attack.
McGraw-Hill continues to investigate the breach further; however, they have not indicated if they will provide the requested ransom to ShinyHunters. Currently, the company maintains that the extent and type of breached data are non-sensitive and small in nature.
