Education company Pearson has confirmed a major cyberattack that exposed customer data and internal corporate information. The UK-based company, known for textbooks and digital education tools, said an unauthorized actor accessed part of its system earlier this year. Pearson discovered the breach and immediately began an investigation with the help of cybersecurity experts. The company also notified law enforcement and added new security measures to prevent future incidents.
Pearson stated that most of the stolen data is “legacy data,” meaning older records. According to the company, no employee data was affected. It plans to share updates directly with customers and partners.
Sources revealed the breach began in January 2025. Hackers accessed Pearson’s internal development tools using a security token found in a public Git configuration file. This file mistakenly exposed a GitLab Personal Access Token.
The attackers used the token to access Pearson’s source code. Inside the code, they found hard-coded credentials for cloud services like AWS, Google Cloud, and Snowflake. These credentials allowed them to steal large volumes of data over several months.
The stolen data reportedly includes customer records, financial details, support tickets, and internal source code. Pearson has not revealed how many users the breach affected but admitted the number could reach millions. The company also refused to say whether it paid any ransom.
Earlier this year, Pearson had disclosed a breach at its subsidiary PDRI. That incident is believed to be linked to the current attack.
Cybersecurity experts warn that exposing Git configuration files can lead to serious breaches. Developers are advised to secure these files and avoid storing access tokens or passwords in them.
Pearson has not said when affected users will be notified or what exact data was stolen. The investigation is still ongoing.
