[BreachExchange] Lawsuit Alleges Publisher Breach Affected 1M Students

Destry Winant destry at riskbasedsecurity.com
Mon Sep 9 09:13:50 EDT 2019


(TNS) — CHICAGO — An Illinois woman and her daughter filed a lawsuit
Thursday against education publishing giant Pearson, accusing the
British-owned company of negligently handling student data and causing
a data breach that compromised the personal information of nearly one
million students in 13 states, including tens of thousands in the
Chicago area.

The suit alleges the company concealed the breach from students and
parents for more than four months. Pearson, headquartered in London
but operating in all 50 states, is one of the largest publishers in
the world, providing educational tools to schools.

The data breach affected thousands of students in a number of suburban
school districts in the Chicago area, including districts in
Naperville, Geneva, St. Charles and Gurnee. Nearly 53,000 students and
3,100 educators in Naperville District 203 and Indian Prairie District
204 were affected, along with nearly 8,000 students and more than 700
staff members at Central School District 301 and St. Charles School
District 303.

A spokesman for Chicago Public Schools said the district did not use
the software that was hacked but he couldn't rule out the possibility
that an individual school used the software.

The lawsuit was filed by the Chicago civil rights firm Loevy & Loevy
on behalf of a woman only identified as "Kylie S." In November 2018,
it claims, a Pearson assessment software used in more than 13,000
schools was hacked, causing the data theft of students' first and last
names, dates of birth, email addresses and unique student
identification numbers.

Pearson did not have systems in place to secure the data from theft or
to detect the breach on its own, the suit alleges. Instead, the
company learned of the hack from the FBI in March, about four months
later. The company then failed to notify those affected by the breach
for at least another four months, when officials notified affected
schools and released a public statement in late July, the complaint

"These students now have to live the rest of their lives knowing that
criminals have the ability to compile, build and amass their profiles
for decades — exposing them to a never-ending threat of identity
theft, extortion, bullying and harassment," the lawsuit states.

The plaintiff is asking a judge to certify the lawsuit as a class
action and appoint the woman as the class representative and award
damages to the class.

Scott Overland, a spokesman for Pearson, said the company does not
comment on pending litigation. But he referred to a past statement on
the data breach, which said the company has "strict data protections
in place."

The company reviewed the incident, found and fixed the vulnerability,
according to the statement.

Children's data is becoming more attractive to hackers because they
are less likely to check their credit reports or implement credit
freezes, the lawsuit contends, and educational platforms are popular

Overall, data breaches are becoming more common in the United States,
with nearly 3,000 reported between 2017 and 2018, according to the

More information about the BreachExchange mailing list