https://plc.pearson.com/en-GB/news-and-insights/news/cyber-security-incident
https://www.bleepingcomputer.com/news/security/education-giant-pearson-hit-by-cyberattack-exposing-customer-data/
Education publishing powerhouse Pearson has confirmed a significant cybersecurity breach that resulted in the theft of corporate data and customer information. The UK-based company, which provides academic publishing, digital learning tools, and standardised assessments to schools and universities in over 70 countries, acknowledged the incident in a statement.
“We recently discovered that an unauthorised actor gained access to a portion of our systems,” a Pearson representative confirmed. “Once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts.”
According to sources familiar with the breach, the attackers initially compromised Pearson’s developer environment in January 2025 by exploiting an exposed GitLab Personal Access Token (PAT) discovered in a publicly accessible .git/config file. This configuration file, which should have been protected, contained embedded access tokens that granted the threat actors unauthorised entry to internal code repositories.
The security lapse had severe consequences. Over several months, attackers reportedly leveraged the initial access to obtain additional hard-coded credentials and authentication tokens for various cloud platforms including AWS, Google Cloud, Snowflake databases, and Salesforce CRM systems. Using these stolen credentials, the cybercriminals allegedly exfiltrated terabytes of data from both Pearson’s internal network and cloud infrastructure.
The stolen information reportedly includes customer data, financial records, support tickets, and proprietary source code, potentially affecting millions of individuals. While Pearson has confirmed the breach and the data theft, the company characterised the stolen information as “largely legacy data” without providing specifics on exactly what was taken or how many customers were affected.
“We have taken steps to deploy additional safeguards onto our systems, including enhancing security monitoring and authentication,” the company stated, adding that no employee information was included in the breach. Pearson declined to answer questions regarding possible ransom payments or whether affected customers would be notified.
Security experts note that this incident follows a concerning pattern of attacks targeting exposed Git configuration files. Last year, the Internet Archive suffered a similar breach when attackers discovered an authentication token in an exposed Git configuration file. Cybersecurity professionals emphasize that organizations must secure .git/config files by preventing public access and avoiding the practice of embedding credentials in remote URLs.
The Pearson breach may be connected to an earlier disclosed investigation from January involving the company’s subsidiary PDRI, though the company has not confirmed this connection publicly.