Cyber Incident Victim: PDRI
Date:
Jan 2025
Location:
United Kingdom
Summary
A cyberattack compromised Pearson's subsidiary PDRI after threat actors exploited an exposed GitLab token in a public configuration file, granting access to internal repositories containing hard-coded cloud credentials. The attackers subsequently exfiltrated terabytes of data, including customer information, financial records, support tickets, and source code from multiple cloud platforms. While the company confirmed data theft and described it as primarily "legacy data," it emphasized no employee information was impacted. Immediate containment steps were taken, with forensic experts and law enforcement engaged to investigate. The subsidiary's client assessment platforms remained operational during the incident, and Pearson stated there was no impact on its broader business services. Customer notifications are ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 30, 2025, Pearson plc subsidiary PDRI detected unauthorized activity on systems supporting its professional services business, representing less than 2% of Pearson’s total revenues. The client assessment delivery platforms remained operational during the incident. Immediate containment measures were implemented to halt the unauthorized activity upon discovery. PDRI initiated an investigation with assistance from an unnamed cybersecurity firm and engaged law enforcement authorities. Customer notification processes began, though the investigation remained in early stages with no confirmed impact on other Pearson business services or systems. Pearson later confirmed this incident was related to a broader cyberattack against the parent company, discovered after threat actors compromised Pearson’s developer environment in January 2025 through an exposed GitLab Personal Access Token (PAT) found in a public .git/config file.
The exposed GitLab token enabled attackers to access Pearson’s source code repositories, which contained hard-coded credentials and authentication tokens for cloud platforms including AWS, Google Cloud, Snowflake, and Salesforce CRM. Over subsequent months, threat actors leveraged these credentials to exfiltrate terabytes of data from Pearson’s internal network and cloud infrastructure. Stolen data included customer information, financial records, support tickets, and source code, affecting millions of individuals. Pearson characterized the compromised data as primarily "legacy data" and confirmed no employee information was taken. The company deployed enhanced security monitoring and authentication controls, supported law enforcement investigations, and committed to sharing additional information with affected customers and partners. Pearson declined to disclose whether a ransom was paid, the precise number of impacted customers, or specific notification timelines beyond existing communications. The PDRI breach represented an initial manifestation of this multi-stage attack campaign exploiting cloud credential exposure.