London-based educational software maker Pearson reported on Wednesday a data breach involving about 13,000 school and university AIMSweb 1.0 accounts.
Exposed data included first and last names, dates of birth, and emails, Pearson said in a blog post. While the company didn’t give any details surrounding what caused the incident, it did say strict data protections have since been put in place and that it has since patched the vulnerability that allowed the compromise.
“And while it might seem easy to write this off as just another data breach, this week’s headlines show us that cybercrime affects victim from the cradle to the grave.”
Prigge added that nobody is safe and said data breaches impact people of all ages, geographies and demographics with the larger impact of these near-daily data breaches being that passwords and other traditional methods of authentication simply cannot be used by companies to authenticate users.
This is because the information is readily available to fraudsters on the dark web and can be easily used in account takeover attacks to commit fraud against organizations.
Arkose Labs Chief Executive Officer and Cofounder Kevin Gosschalk noted the breach tarnishes a younger demographic’s digital footprint on the dark web at an early age and gives cybercriminals a long runway to continue collecting additional information on these students by sharing it on the dark web’s connected ecosystem for the rest of their lives.
“Pearson’s data breach is the third major breach announced this week, on the heels of Capital One and Sephora,” Gosschalk said. “This breach is significant for two reasons: it exposed sensitive personal identifiable information (PII) on hundreds of thousands of school and university students and the attack went unnoticed by Pearson for months.”
Gosschalk added that young demographic of Pearson’s customers are inherently more vulnerable because they have more at stake in the long-term and that criminals will be able to immediately leverage the exposed email addresses to carry out credential stuffing attacks against other organizations.