By Parmy Olson 

LONDON -- Pearson PLC, the British maker of educational software, is warning school districts that a far-reaching data breach has exposed details on thousands of students, chiefly in the U.S.

Pearson was notified about the cyberattack by the Federal Bureau of Investigation in March, according to a person familiar with the matter. The breach affected more than 13,000 school and university accounts, some containing information -- such as names, dates of birth and email addresses -- on thousands of students each. Who perpetrated the hack is still unknown, the person said.

"We have notified the affected customers as a precaution," a Pearson spokesman said. "We apologize to those affected."

The breach is the latest in a wave of cyber intrusions that have highlighted how much corporations are struggling to protect sensitive customer data.

Capital One Financial Corp. this week disclosed that its systems were breached, affecting data from roughly 106 million people. A former Amazon Web Services Inc. employee was arrested on Monday in connection with that breach, which compromised information such as social-security numbers and bank-account details.

Allan Cunningham, the information-security officer for Washoe County School District in Nevada, said he learned from Pearson that the breach affected data of 114,000 students enrolled between 2001 and 2016 in his jurisdiction alone. For about half of those, information on their dates of birth was accessed. A cybersecurity administrator in another large school district estimated that in his region about 500 students were affected.

Pearson suffered its data breach around November 2018, the company told school-district administrators in a letter detailing the incident and reviewed by The Wall Street Journal. The London-based company said it had no evidence that any student data was misused. It said it was offering complimentary credit-monitoring services to affected victims as a precaution.

Mr. Cunningham said he was advising parents to use the free credit-monitoring tools because of past incidents where scammers stole the identities of children. But, he added, "the overall risk is low" because Pearson's breach didn't include sensitive financial information.

Pearson said that school grades or assessment information didn't appear to be affected, and that the breached system didn't contain Social Security numbers, credit-card data or other financial information.

The company said it had suspended operations this week of the affected system, called AIMSweb 1.0. The decision to phase out the system was made previously, the company said, and wasn't related to the breach.

Pearson, with a history of producing textbooks, has increasingly focused on selling digital services. Last month, it said it would phase out such print publications.

One security expert said data theft is often an unintended consequence of educational companies shifting to digital products.

Douglas Levin, president of EdTech Strategies, a security consulting firm for the education industry, questioned some of the security practices Pearson's system used.

"If you're building an information system for schools, you wouldn't be placing personally identifiable info into a database like this," he said. "You'd use a unique student identifier that did not have a name, email and birth date."

Pearson said it was reviewing its systems.


(END) Dow Jones Newswires

July 31, 2019 20:38 ET (00:38 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.
Pearson (NYSE:PSO)
Historical Stock Chart
From Feb 2023 to Mar 2023 Click Here for more Pearson Charts.
Pearson (NYSE:PSO)
Historical Stock Chart
From Mar 2022 to Mar 2023 Click Here for more Pearson Charts.