Cyber Incident Victim: Pearson PLC
Date:
May 2023
Location:
United Kingdom
Summary
A cyber incident targeted British exam boards, including Pearson Edexcel, where hackers stole exam papers and sold them online to students seeking to cheat. The breach is suspected to have occurred through a school's internal email system. Police are investigating the data breach and associated fraud, which risks students having their results disqualified and facing bans from retaking exams, potentially impacting their university placements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May and June 2023, British police launched investigations into a series of cyber incidents targeting major national exam boards, including OCR, Pearson Edexcel, and AQA. The incidents involved the theft of examination papers, which were subsequently sold online to students seeking an unfair advantage on their high-stakes tests. The exam season in England and Wales, which ran from May 15 to June 27, typically experiences a surge in attempts to sell counterfeit papers, but these events were notable for involving genuine data breaches impacting the examination systems.
The initial method of compromise, as it pertained to the incidents affecting OCR and Pearson Edexcel, was suspected to involve a hacker gaining access to a school's internal email system. From this compromised account, the threat actor was then able to impersonate a legitimate school official and request exam papers directly from the exam boards. This social engineering tactic allowed the attacker to obtain genuine papers ahead of their scheduled administration dates. The breach was first reported by the publication Schools Week.
Cambridgeshire Constabulary confirmed it was investigating a data breach where two examination boards had exam papers extracted from their systems and sold online. A police spokesperson stated that the investigation was still in its early stages and that the force was collaborating with the UK government and the National Crime Agency’s cybercrime unit. This indicated the serious nature of the incident and its elevation to a national level. A separate but related cyber incident was also confirmed to have affected AQA, the largest exam board in Britain. Surrey Police reported they were investigating an allegation of fraud and computer misuse involving a data breach at AQA, whose main office is based at the University of Surrey. This particular incident was reported to the police on June 16, toward the very end of the exam season, though the exact timing of the initial breach was not publicly disclosed. No arrests had been made in connection with any of the incidents at the time of the reports.
The affected exam boards declined to comment individually on the specific breaches. Instead, they issued a collective response through the Joint Council for Qualifications (JCQ), which represents the major awarding bodies. The JCQ stated that exam boards had reported a small number of contained incidents of alleged fraud to the police. A JCQ spokesperson emphasized that as the police were actively investigating, it would not be appropriate to provide further information. The statement also served as a warning to students, noting that as in any year, those found to have been involved in malpractice would face severe consequences.
The impact of these breaches was significant due to the critical nature of the examinations involved. The main examinations in Britain are GCSEs, typically taken by 16-year-olds at the end of compulsory education, and A-Levels, which are advanced qualifications that form a core part of university entry requirements. The theft and sale of these papers threatened the integrity of the entire examination process. Students who were found to have purchased the stolen exams in advance faced the potential consequence of having their results disqualified and being banned from re-sitting the exams for a set period. This severe penalty could directly result in students missing out on their planned university placements, altering their educational and professional trajectories.
The response actions were primarily led by law enforcement. The involvement of multiple regional police forces, including Cambridgeshire Constabulary and Surrey Police, alongside the National Crime Agency’s cybercrime unit, pointed to a coordinated national effort to identify the perpetrators and understand the full scope of the breaches. The collaboration with the government highlighted the incident's importance as a matter of national education security. The exam boards themselves, through the JCQ, characterized the incidents as contained, suggesting they believed they had managed to limit the damage and prevent further extraction of papers once the breaches were identified. The primary containment measure was the official reporting of the incidents to the police for criminal investigation.
The incident shared similarities with a disruptive cyberattack that occurred in late May of the same year, which targeted national end-of-year high school exams in Greece. This international context underscored that educational institutions and examination systems are becoming attractive targets for cybercriminals seeking financial gain by exploiting the high-pressure environment surrounding standardized testing. The investigation in the UK remained ongoing, with law enforcement working to determine the full extent of the data theft and to identify those responsible for the attacks.