Pearson, one of the world’s largest education companies, suffered a significant cyberattack in January 2025, exposing sensitive customer and corporate data. The breach began when threat actors discovered a GitLab Personal Access Token (PAT) embedded in a public .git/config file within Pearson’s developer environment. This exposed token acted as a gateway, granting attackers access to Pearson’s internal source code repositories. The attackers found additional hard-coded credentials for cloud platforms such as AWS, Google Cloud, Salesforce CRM, and Snowflake within these repositories.
In May 2025, the attackers leveraged these credentials to move laterally across Pearson’s network and cloud environments, ultimately exfiltrating terabytes of data.
Consequences of the data breach
Pearson confirmed the breach, stating that the stolen data was “largely legacy” and did not include employee records. The company has not disclosed the total number of affected individuals or whether a ransom was demanded or paid. However, the stolen information reportedly included customer details, financial records, support tickets, and proprietary source code, potentially impacting millions of users worldwide.
The company also stated there was no disruption to its business operations, ruling out ransomware as a cause. Pearson responded promptly by halting unauthorized access, engaging digital forensics experts to investigate the breach, and supporting law enforcement efforts. The company also implemented enhanced security measures such as improved monitoring, authentication, and controls to prevent further intrusion.
From a regulatory perspective, Pearson faces scrutiny under data protection laws such as the European Union’s General Data Protection Regulation (GDPR), which mandates strict controls on personal data handling and breach notifications. Given Pearson’s extensive operations across Europe and globally, compliance with GDPR is critical, and breaches involving customer data can lead to significant fines and legal consequences if transparency or data protection obligations are not met. While Pearson has not publicly disclosed regulatory actions or fines related to this incident, the company’s cooperation with law enforcement and forensic investigations aligns with GDPR’s requirements for breach response and reporting.
Immediate actions and evidence collection
In cases of cyber attacks and data breaches, it is critical to understand what happened and produce documents that can be used by law enforcement and insurance companies.
The steps to take after a data breach include:
- Preserve volatile and at-rest evidence from compromised systems and cloud environments.
- Create forensic images of affected servers and endpoints to ensure data integrity and prevent spoliation.
- Secure logs from cloud providers (AWS, Google Cloud, Salesforce) and internal systems for timeline reconstruction and root cause analysis.
- Create master and working copies of digital evidence, with the master stored securely and untouched.
- Documenting every access and transfer of evidence to ensure admissibility in potential legal proceedings.
Analysis and attribution in Pearson’s case
Forensic analysts reconstructed the attack timeline, identifying the initial access vector (the exposed GitLab PAT), subsequent credential harvesting, and lateral movement. Through metadata analysis and correlation of system logs, they determined the scope of data exfiltration and assessed the “blast radius” of the breach.
The digital forensics team produced comprehensive reports detailing:
- The sequence of events leading to the breach.
- The methods and tools used by the attackers.
- The types and volumes of data accessed or stolen.
- Recommendations for remediation and future prevention.
These reports supported Pearson’s communication with law enforcement and regulatory bodies, affected customers, and provided a foundation for potential litigation or insurance claims.
Conclusion
From initial detection to evidence preservation, cloud forensics, and legal reporting, a rigorous forensic process is essential to understand what happened, limit damage, and support recovery and accountability.
For expert digital forensics support in breach investigations, incident response, or litigation, contact Proven Data. Our certified teams can help you collect, analyze, and preserve digital evidence across local and cloud environments to protect your organization’s interests.
