Lawsuit Alleges Publisher Breach Affected 1M Students

Pearson, a British-owned education publishing company, is at the center of a lawsuit filed by an Illinois woman and her daughter over the handling of a data breach involving student personal information.

by Madeline Buckley, Chicago Tribune / September 6, 2019

(TNS) — CHICAGO — An Illinois woman and her daughter filed a lawsuit Thursday against education publishing giant Pearson, accusing the British-owned company of negligently handling student data and causing a data breach that compromised the personal information of nearly one million students in 13 states, including tens of thousands in the Chicago area.

The suit alleges the company concealed the breach from students and parents for more than four months. Pearson, headquartered in London but operating in all 50 states, is one of the largest publishers in the world, providing educational tools to schools.

The data breach affected thousands of students in a number of suburban school districts in the Chicago area, including districts in Naperville, Geneva, St. Charles and Gurnee. Nearly 53,000 students and 3,100 educators in Naperville District 203 and Indian Prairie District 204 were affected, along with nearly 8,000 students and more than 700 staff members at Central School District 301 and St. Charles School District 303.

A spokesman for Chicago Public Schools said the district did not use the software that was hacked but he couldn't rule out the possibility that an individual school used the software.

The lawsuit was filed by the Chicago civil rights firm Loevy & Loevy on behalf of a woman only identified as "Kylie S." In November 2018, it claims, a Pearson assessment software used in more than 13,000 schools was hacked, causing the data theft of students' first and last names, dates of birth, email addresses and unique student identification numbers.

Pearson did not have systems in place to secure the data from theft or to detect the breach on its own, the suit alleges. Instead, the company learned of the hack from the FBI in March, about four months later. The company then failed to notify those affected by the breach for at least another four months, when officials notified affected schools and released a public statement in late July, the complaint alleges.

"These students now have to live the rest of their lives knowing that criminals have the ability to compile, build and amass their profiles for decades — exposing them to a never-ending threat of identity theft, extortion, bullying and harassment," the lawsuit states.

The plaintiff is asking a judge to certify the lawsuit as a class action and appoint the woman as the class representative and award damages to the class.

Scott Overland, a spokesman for Pearson, said the company does not comment on pending litigation. But he referred to a past statement on the data breach, which said the company has "strict data protections in place."

The company reviewed the incident, found and fixed the vulnerability, according to the statement.

Children's data is becoming more attractive to hackers because they are less likely to check their credit reports or implement credit freezes, the lawsuit contends, and educational platforms are popular targets.

Overall, data breaches are becoming more common in the United States, with nearly 3,000 reported between 2017 and 2018, according to the suit.

©2019 Chicago Tribune. Distributed by Tribune Content Agency, LLC.

Platforms & Programs