We have covered a lot on EdTech privacy lawsuits and how they can be avoided if you want to protect against regulatory action and plaintiff lawsuits but the McGraw Hill data breach creates another set of compliance and security issues. On April 14, 2026, the digital education sector faced a reckoning. After a tense week of “pay-or-leak” ultimatums, the notorious threat actor group ShinyHunters followed through on their threat, releasing over 100GB of exfiltrated data allegedly belonging to the educational publishing titan McGraw Hill.
While McGraw Hill’s official statements have categorized the exposure as “limited” and “non-sensitive,” independent verification from Have I Been Pwned and cybersecurity analysts tells a more complex story. At least 13.5 million unique records—including names, physical addresses, phone numbers, and email addresses—are now circulating on the dark web.
For C-Suite leaders and IT directors, this isn’t just another breach notification. It is a masterclass in why SaaS Misconfiguration is the greatest compliance threat of 2026. This was not a failure of McGraw Hill’s encryption or a bypass of their firewall; it was a failure of Salesforce Experience Cloud governance.
The Anatomy of the Attack: The Aura API Exploit
The McGraw Hill breach is part of a massive, coordinated campaign targeting the Salesforce Aura framework. As organizations increasingly move toward “Experience Clouds” (formerly Community Cloud) to interact with students, customers, and partners, they inadvertently create public-facing doors into their CRM.
How the Data Was Lifted
The attackers utilized a modified version of AuraInspector, a tool originally designed for security auditing. By targeting the /s/sfsites/aura endpoint, ShinyHunters performed “mass-scanning” of public-facing pages.
The technical breakdown of the vulnerability follows a predictable, yet preventable, pattern:
-
Overly Permissive Guest Profiles: Unauthenticated “Guest Users” were granted “API Enabled” permissions.
-
Object-Level Misconfigurations: Organization-Wide Defaults (OWD) were likely set to “Public” for objects like Contacts or Leads, rather than “Private.”
-
The Scraping Engine: Because the API was open, the attackers didn’t need to “hack” a password. They simply queried the API for records, harvesting 13.5 million rows of PII as if they were legitimate system administrators.
The “Exfiltration” Trigger: Why CCPA and CPRA Change the Stakes
For companies operating in California, the terminology used in a breach disclosure is the difference between a PR headache and a multi-billion dollar class-action lawsuit.
Under the California Consumer Privacy Act (CCPA) and the CPRA, consumers have a Private Right of Action (Section 1798.150). This allows individuals to sue for statutory damages ranging from $100 to $750 per consumer, per incident if their non-encrypted personal information is subject to “unauthorized access and exfiltration, theft, or disclosure.” As we just saw in the recent Allison vs. PHH Mortgage case that we covered there are lawsuits happening that are creating case law for private lawsuits to happen if a site is running meta-pixel.
The “Reasonable Security” Litmus Test
To avoid these staggering damages, a company must prove they maintained “reasonable security procedures and practices.” In 2026, the legal consensus is shifting:
-
Is a Salesforce misconfiguration “unreasonable”? Most privacy attorneys argue yes. If a vendor provides a security toggle (like disabling Guest User API access) and a company fails to flip it, courts are increasingly viewing this as a failure of “reasonable” care.
-
The Proof of Exfiltration: Because ShinyHunters has publicly distributed the 100GB dataset, the “exfiltration” requirement for a CCPA lawsuit is effectively satisfied.
With 13.5 million records at a potential $750 per record, the theoretical liability reaches into the billions—far exceeding any ransom demand.
FERPA Compliance: The EdTech Compliance Crisis
As a provider for K-12 and Higher Education, McGraw Hill falls under the jurisdiction of the Family Educational Rights and Privacy Act (FERPA). While FERPA is primarily a federal funding regulation, the Department of Education’s Student Privacy Policy Office (SPPO) has become increasingly aggressive in 2026 regarding “School Official” data handling.
When a third-party vendor like McGraw Hill loses student data, the educational institutions they serve are forced to initiate their own incident response protocols. This creates a “trust deficit” that can lead to:
-
Contractual Terminations: Schools may be legally required to stop using platforms that cannot guarantee the “protection of PII from education records.”
-
Department of Education Audits: Repeated breaches (this is McGraw Hill’s third major exposure in four years) signal a systemic failure of data oversight.
Hardening Your Salesforce Instance: A Guide for IT Leaders
The McGraw Hill incident proves that your CRM is your most vulnerable perimeter. If you are an IT leader, you must audit your Salesforce environment against these four critical failure points today:
| Risk Area | Action Item | Why it Matters |
| Guest User Profile | Uncheck “API Enabled” in System Permissions. | Prevents unauthenticated users from querying backend data via the Aura API. |
| Sharing Settings | Set External OWDs to “Private” for all objects. | Ensures records are hidden by default and only exposed via explicit Sharing Rules. |
| Object Permissions | Disable “View All” for Guest Profiles. | Prevents “scraping” of entire database tables by non-users. |
| Field-Level Security | Audit PII fields (Email, Phone, Address). | Even if a record is visible, sensitive fields should remain hidden from Guest Users. |
How Captain Compliance Protects Your Future
In a landscape where “Living-off-the-SaaS” attacks are the new norm, traditional cybersecurity isn’t enough. You need Data Governance.
At Captain Compliance, we recognize that compliance isn’t a checkbox—it’s a shield. Our framework helps C-Suite leaders navigate the “McGraw Hill Trap” by providing:
-
Automated Salesforce Audits: We identify overly permissive Experience Cloud settings and “Ghost Profiles” that leave your PII exposed to the Aura API exploit.
-
Privacy-by-Design Implementation: We help you map your data flow to meet CCPA, CPRA, and FERPA standards, ensuring that “reasonable security” is a documented reality, not a theoretical claim.
-
Vendor Risk Management: We help you vet your own third-party EdTech and SaaS providers, ensuring their “leaky buckets” don’t become your legal liability.
McGraw Hill Breach Happened Because Of…
The McGraw Hill breach was not a stroke of bad luck; it was the inevitable result of a “functionality over security” mindset. As the ShinyHunters group moves on to their next target, the question for your organization is simple: Is your Salesforce “door” locked, or just closed?
Don’t let a misconfiguration become a class-action lawsuit. Schedule a Data Protection Audit with Captain Compliance and secure your PII before the next leak drops.
Quick FAQ: McGraw Hill Breach 2026
-
How many people were affected? At least 13.5 million unique emails have been verified, though hackers claim up to 45 million records.
-
Was financial data stolen? McGraw Hill states that credit card info and Social Security Numbers were not part of this specific Salesforce leak.
-
What should I do if I have a McGraw Hill account? Change your password if you reuse it elsewhere and be highly skeptical of any emails or calls requesting “verification” of your account details.
