Pearson has confirmed that it was targeted by recently-indicted Chinese hackers who accessed the personally identifiable information of millions of students and teachers more than a year ago.
The hack was detailed in a federal indictment issued this month in the U.S. District Court for the Eastern District of Washington.
Federal prosecutors at the time did not name the educational software company whose proprietary and sensitive data had been stolen. But Pearson today confirmed to EdWeek Market Brief that it was a victim of the cyberattack.
“When we were contacted by the FBI last year, we immediately took action to determine the extent of the breach and to remedy the issue,” said Scott Overland, director of media relations for Pearson, in an emailed response to an inquiry about the cyberattack. “We then notified customers whose data was affected. The student data accessed was limited to first and last name, and in some instances, included date of birth and/or email address.”
Only one Pearson product was accessed—the AIMSweb 1.0 software platform, which supported classroom screening and assessment in grades K-12, according to the company. That platform is now retired.
The two suspects—Li Xiaoyu, 34, and Dong Jiazhi, 33—are former engineering students in China, who allegedly stole “hundreds of millions of dollars of trade secrets, intellectual property and other valuable information” globally over a decade, the indictment said.
Li and Dong were not acting on their own, federal officials contend. While they were in some instances stealing information for their own profit, they also worked on behalf of the Chinese government’s Ministry of State Security, according to the charges brought against them.
The campaign targeted the intellectual property and confidential business information of companies across a wide variety of industries, including COVID-19 research, according to a release from the Department of Justice.
Among other businesses affected in the decade-long attacks were those in gaming software development, industrial and medical device engineering, solar energy, and pharmaceuticals, according to the 11-count indictment.
“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber-criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state,” said Assistant Attorney General for National Security John C. Demers in the official announcement.
He described the charges as typifying “the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property.”
The indictment was issued amid mounting tensions between the Trump administration and Beijing. Trump administration officials, including Secretary of State Mike Pompeo, have levied increasingly harsh criticisms in recent months at the Chinese government over trade, human rights, and its response to the coronavirus.
The U.S. educational software company was targeted for only several months, from November 2018 through February 2019, federal officials said. During that time, 10 gigabytes of data were stolen, including millions of students’ and teachers’ personally identifiable information.
Pearson was notified by federal authorities of the data breach impacting its now-retired AIMSweb 1.0 platform in early 2019.
“Protecting our customers’ information is of critical importance to us and we appreciate the hard work of the FBI and Department of Justice to identify and charge the individuals responsible for this,” Pearson’s Overland said via email.
The indictment unsealed by the Eastern District in Washington said the accused Chinese hackers “gained initial access to victim networks using publicly known software vulnerabilities in popular products,” the indictment said.
The full indictment is available here.
- Pearson Sells Its K-12 Instructional Materials Business to Investment Firm
- How K-12 Education Companies Can Respond to Rising Cybersecurity Concerns