Pearson confirms cyberattack, threat actors stole source code and customer data

Education giant Pearson has confirmed it was the target of a significant cyberattack, which led to the theft of corporate data and customer information. The UK-based company, known globally for its academic publishing and digital education tools, disclosed the breach in a statement to BleepingComputer, acknowledging that an "unauthorized actor" accessed part of its systems.

While Pearson described the compromised data as primarily "legacy data," it did not clarify what that entailed or how many customers were impacted. The company did, however, assure that no employee data was stolen. Pearson says it responded by halting the intrusion, launching a forensic investigation, and bolstering its system safeguards with improved security monitoring and authentication.

According to sources cited by BleepingComputer, the breach originated in January 2025 from an exposed GitLab Personal Access Token (PAT) found inside a publicly accessible .git/config file. These configuration files, used by Git projects, can inadvertently leak credentials if they contain access tokens embedded in remote URLs—granting unauthorized users access to internal code repositories.

In Pearson’s case, the exposed token gave attackers access to source code containing further hardcoded credentials for various cloud services. Using this foothold, the attackers escalated access over the following months, exfiltrating terabytes of data from Pearson’s internal systems and cloud platforms, including AWS, Google Cloud, Snowflake, and Salesforce CRM.

The stolen data reportedly includes customer records, financial and billing information, support ticket histories and internal source code. This data trove is believed to impact millions of users across Pearson’s global footprint.

When asked about the scope of the breach, the definition of “legacy data,” and whether a ransom was paid, Pearson declined to provide details. The company only confirmed that affected customers and partners would be notified directly as needed.

This breach appears connected to an earlier incident Pearson reported in January involving its PDRI subsidiary, suggesting a broader compromise campaign.