Pearson: The Patch That Sat Unapplied Six Months
Failed to add items
Add to basket failed.
Add to wishlist failed.
Remove from wishlist failed.
Adding to library failed
Follow podcast failed
Unfollow podcast failed
-
Narrated by:
-
By:
A critical security patch sat unapplied on a Pearson education platform for six months. By the time it was found, data on roughly 11.5 million student records across some 13,000 schools and universities had been taken — and Pearson described the breach to investors as a "hypothetical" risk. The SEC disagreed.
This is the story of the distance between knowing and acting: a documented flaw, an available fix, and the gap in between.
Chapters:
(0:00) The Call From the FBI
(1:14) Pearson and AIMSweb
(2:38) What Remote Code Execution Means
(3:40) The Patch That Was Never Applied
(5:14) Inside the Breach
(8:52) Four Months, Undetected
(10:30) What "Material" Means to the SEC
(12:01) The Notification Letters
(13:07) "A Hypothetical Risk"
(14:55) The Decade-Long Campaign
(16:54) The SEC Charge
(18:42) Knowing vs. Acting
(19:22) Takeaways
Free one-page technical breakdown: https://zerodaylogs.com
Watch the full video version on YouTube: [video URL]
Sources: SEC enforcement order (2021); DOJ indictment (2020); UK ICO penalty notice; Pearson Form 6-K (2019); state AG notifications.