School and university data breached in hack of education company Pearson
Education company Pearson Plc has been hacked, with data stolen from about 13,000 school and university accounts primarily in the U.S.
The hack, which was buried in a media release titled as “Pearson customer notification,” involved the theft of data that included first name, last name and in some cases date of birth or email address. “While we have no evidence that this information has been misused, we have notified the affected customers as a precaution,” the company said.
Pearson didn’t provide much in the way of information, but the Wall Street Journal reported that the company was made aware of the hack by the U.S. Federal Bureau of Investigation in March.
The Journal report also sheds some light on the possible numbers of records involved in the breach as well. The 13,000 school and university accounts relate to school districts and universities, not individual users, with one of the accounts relating to a single school district with more than 114,000 students. Potentially millions of records may have been involved in the data breach, if not more.
The delay in reporting the breach since March also raises serious concerns under the European Union’s General Data Protection Regulation. Under GDPR, all organizations must report certain types of data breaches within 72 hours of becoming aware of the breach.
“This breach tarnishes a younger demographic’s digital footprint on the dark web at an early age, and gives cybercriminals a long runway to continue collecting additional information on these students and sharing it on the dark web’s connected ecosystem for the rest of their lives,” Kevin Gosschalk, co-founder and chief executive of fraud prevention firm Arkose Labs Inc., told SiliconANGLE. “The young demographic of Pearson’s customers are inherently more vulnerable because they have more at stake in the long-term.”
The problem, he added, is that cybercriminals will be able to leverage the exposed email addresses immediately to carry out “credential stuffing” attacks against other organizations, which use the data to make large numbers of login requests at websites.
Image: Pearson
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU