McGraw-Hill
One of the largest educational publishers exposed student records—grades, courses, and performance data from K-12 through college.
What happened?
McGraw-Hill, one of the "big three" educational publishers with digital learning platforms used by millions of students, disclosed a data breach affecting their educational technology systems. The breach exposed student records across their various learning management and assessment platforms.
What data was actually inside?
Student names, email addresses, course enrollments, and academic performance data. EdTech platforms track everything: quiz scores, assignment submissions, time spent on materials, and learning progress. This data paints a detailed picture of each student's academic performance and struggles.
The data spans K-12 students (minors) through higher education—populations with different protections under FERPA and state student privacy laws.
Who gets hurt and how?
Students—including minors—whose educational records are now exposed. Academic performance data can affect college admissions, scholarships, and future opportunities. For K-12 students, this data shouldn't exist outside educational contexts, yet it's now in attacker hands.
Educational institutions that trusted McGraw-Hill as a vendor now face their own compliance questions. Under FERPA, schools are responsible for the data they share with vendors.
What did they think they were doing right?
McGraw-Hill is a legacy educational company that has transformed into an EdTech provider. They have contracts with thousands of schools and universities. They sign student data privacy agreements. They make commitments under state student privacy laws and the Student Privacy Pledge.
Educational technology has grown faster than security practices. Digital learning platforms collect more data than textbooks ever could—and that data has value to attackers.
What did they not know about their own data?
McGraw-Hill didn't know how much student data had accumulated across their platforms—or how accessible it was. EdTech companies often collect data beyond what's necessary for the educational purpose, keeping detailed analytics that become liabilities when breached.
Legacy systems, acquired platforms, and historical data create data sprawl. Student records from years past sit in databases that are still connected, still vulnerable.
What does attribution look like the morning after?
McGraw-Hill had to notify schools and universities—their customers—who then had to consider their own obligations to notify students and parents. The cascading notifications create confusion: whose breach is it? Who's responsible for telling students?
State student privacy laws vary, creating a patchwork of notification requirements. Some states require notification to parents of minors. Some require notification to state agencies. McGraw-Hill operates everywhere, so they face every requirement.
What would have changed the outcome?
Knowing what student data exists and whether it should still exist.
If McGraw-Hill had inventoried student data across all their platforms—current and legacy—they could have minimized what they retained, classified what they kept, and protected it appropriately. Student data has a shelf life; records from graduated students often shouldn't exist at all. They learned what they had when attackers took it.
Don't Learn What You Have From an Attacker
McGraw-Hill didn't know what student data they had until attackers showed them. Risk Finder shows you first.
Start Your Risk Assessment