HQ/EMEAFind out how we can help your business
UK education giant Pearson has confirmed it was the target of a major cyberattack, resulting in the theft of customer data and corporate information. The breach, which came to light in January 2025, is believed to have exposed sensitive data stored across various cloud services used by the company.
Pearson, one of the world’s largest providers of academic publishing, digital learning tools, and standardised testing, operates in more than 70 countries. The company acknowledged the incident in a statement, stating that an “unauthorised actor” had accessed part of its systems and downloaded what it described as “largely legacy data”.
The Pearson cyberattack started with an exposed GitLab token and led to access to key cloud platforms.
The cyberattack reportedly began with the exposure of a GitLab Personal Access Token (PAT) found in a publicly accessible `.git/config` file. This token granted attackers access to Pearson’s developer environment, including internal source code. The breach escalated when the attackers uncovered additional hard-coded credentials, enabling them to access cloud platforms including Amazon Web Services (AWS), Google Cloud, Snowflake, and Salesforce CRM.
Over the following months, the attackers allegedly exfiltrated terabytes of data, including customer information, financial records, support tickets, and more source code. Millions of individuals may have been impacted, although Pearson has not confirmed the exact number affected.
While Pearson assured that no employee data was compromised, the company has yet to clarify what it considers “legacy data” or whether affected customers will be directly notified. When asked about the possibility of a ransom payment, Pearson declined to comment.
In response to the cyberattack, Pearson said it acted quickly to contain the breach, brought in forensic experts to investigate, and has since enhanced its system safeguards. These improvements include stronger authentication protocols and more rigorous security monitoring. Authorities have been engaged in the investigation as well.
The breach is also believed to be connected to an earlier security incident at one of Pearson’s subsidiaries, PDRI, which was disclosed in January.
This incident shows a rising trend where hackers exploit exposed Git configuration files to access sensitive systems. Last year, the Internet Archive suffered a similar breach due to a mistakenly exposed `.git/config` file containing authentication tokens.
Cybersecurity experts continue to stress the importance of securing configuration files and avoiding the storage of credentials in publicly accessible locations. As cloud services become increasingly central to business operations, the risks of such cyberattacks remain significant.
