Access granted screen on monitor showing data breach

Education Giant Pearson Confirms Customer Data Breach After Cyber Attack

London, UK-based education giant Pearson PLC has confirmed it suffered a data breach that potentially leaked corporate and customer information.

“We recently discovered that an unauthorized actor gained access to a portion of our systems,” the company stated.

Pearson said it immediately responded by taking action to prevent further intrusion and launching an investigation with cyber forensic experts to determine the nature and the scope of the incident.

“Once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts. We also supported law enforcement’s investigation,” said Pearson.

It also deployed additional safeguards, including enhanced control, monitoring, and authentication, to deny the threat actor further access and prevent the attack from spreading.

Pearson data breach leaked “legacy” information

Pearson’s preliminary investigation suggests that the data breach compromised “largely legacy” information. Additionally, the education giant does not believe that the data breach exposed employee information.

“We are continuing to investigate, but at this time we believe the actor downloaded largely legacy data. We will be sharing additional information directly with customers and partners as appropriate,” the company said.

The company also disclosed that the cyber incident did not disrupt its operations, thus ruling out a ransomware attack.

Meanwhile, the education giant has not disclosed the attack vector, the number of victims affected, or the nature of information potentially compromised. The identity of the threat actor also remains undetermined or undisclosed, and Pearson has not confirmed receiving any ransom demands.

Given how little information Pearson and the threat actor have disclosed regarding the cyber attack, ransom negotiations are likely under consideration or ongoing. Typically, cybercriminals avoid publicizing data breaches when ransom payment is still possible to avoid hurting the impacted company’s reputation.

Meanwhile, threat actors reportedly compromised the company’s GitLab Personal Access Token (PAT) in January 2025 and exploited it to access its source code, which contained hard-coded credentials. The attackers reportedly used the compromised credentials to access on-prem and cloud data.

The access token could also expose the company’s project and email addresses, and allow threat actors to access other projects. Undisclosed sources also say the data breach exposed customer information, support tickets, and financial documents.

Cyber attacks on UK companies

It remains unclear if the threat actors behind the PowerSchool data breach were also responsible for the Pearson cyber attack. However, educational organizations are frequent targets of cyber attacks due to the vast amount of personal information they collect and retain in the course of their business.

In January 2025, Pearson subsidiary PDRI also suffered a data breach, likely related to the ongoing credentials exposure. Recently, PowerSchool also disclosed ongoing cyber extortion attempts targeting individual schools despite the company paying the ransom to guarantee data deletion.

Meanwhile, the attack on the UK educational giant comes hot on the heels of a cyber campaign targeting UK retailers. Recently, UK retail giants Marks & Spencer, the Co-op, and Harrods confirmed data breaches likely related to the Dragonforce ransomware.

Marks & Spencer recently confirmed that the previously reported data breach exposed customer information, and efforts are underway to notify affected people.