Pearson Experiences Cybersecurity Breach Resulting in Compromised Customer Data

Education provider Pearson has been compromised in a recent cyberattack that has exposed sensitive corporate and customer data. The company, which is based in the United Kingdom and serves as a major player in academic publishing and digital learning tools globally, confirmed the incident and stated that data was illegitimately accessed, with the bulk of it categorized as “legacy data.”

In an official communication, a Pearson representative acknowledged the unlawful intrusion, stating, “We recently uncovered that an unauthorized actor had gained access to a portion of our systems.” Following the detection of this breach, Pearson undertook immediate action to halt the unauthorized access and engaged forensic experts to investigate the extent of the breach and the nature of the affected data. Moreover, they have collaborated with law enforcement agencies during this investigation. Enhanced security measures have been implemented, focusing on improved security monitoring and authentication processes.

The company did clarify that the stolen data did not encompass employee information, and they intend to provide further relevant details to customers and partners as needed.

Reports indicate that the breach may have originated from a compromised developer environment acquired through an unprotected GitLab Personal Access Token (PAT) located in a publicly accessible .git/config file. This specific configuration file is utilized by Git projects to manage settings, and if it inadvertently becomes public, it can expose embedded access tokens that allow unauthorized access to essential repositories.

The exploited token was reportedly leveraged by the attackers to gain entry to Pearson’s source code and subsequently procure hard-coded credentials for associated cloud platforms. Following several months of illicit activity, the threat actors are believed to have exfiltrated significant amounts of data from Pearson’s internal and cloud infrastructures, including services like Amazon Web Services, Google Cloud, and various cloud-based databases such as Snowflake and Salesforce CRM. The data compromised in this incident is believed to include customer details, financial records, support inquiries, and proprietary source code, potentially affecting millions.

Despite inquiries from industry sources regarding the specifics of the data breach, including any ransom payments and the definition of “legacy data,” Pearson declined to comment on these matters. In a previous disclosure, Pearson indicated that they were investigating a breach related to one of their subsidiaries, PDRI, suggesting a link to the recent cyber incident.

The trend of scanning for exposed Git configuration files and credentials has become a prevalent tactic among cybercriminals targeting cloud-based services. This incident underlines the critical need for organizations to secure .git/config files, limit public access, and refrain from embedding sensitive credentials in any publicly exposed resources.