Pearson: The Patch That Sat Unapplied Six Months cover art

Pearson: The Patch That Sat Unapplied Six Months

Pearson: The Patch That Sat Unapplied Six Months

Listen for free

View show details

A critical security patch sat unapplied on a Pearson education platform for six months. By the time it was found, data on roughly 11.5 million student records across some 13,000 schools and universities had been taken — and Pearson described the breach to investors as a "hypothetical" risk. The SEC disagreed.

This is the story of the distance between knowing and acting: a documented flaw, an available fix, and the gap in between.

Chapters:
(0:00) The Call From the FBI
(1:14) Pearson and AIMSweb
(2:38) What Remote Code Execution Means
(3:40) The Patch That Was Never Applied
(5:14) Inside the Breach
(8:52) Four Months, Undetected
(10:30) What "Material" Means to the SEC
(12:01) The Notification Letters
(13:07) "A Hypothetical Risk"
(14:55) The Decade-Long Campaign
(16:54) The SEC Charge
(18:42) Knowing vs. Acting
(19:22) Takeaways

Free one-page technical breakdown: https://zerodaylogs.com
Watch the full video version on YouTube: [video URL]

Sources: SEC enforcement order (2021); DOJ indictment (2020); UK ICO penalty notice; Pearson Form 6-K (2019); state AG notifications.

adbl_web_anon_alc_button_suppression_t1
No reviews yet