The Pearson VUE hack: How the credential manager system data breach occurred

January 21, 2016

2015 ended with a troubling hack for electronic testing company Pearson VUE. In late November, Pearson VUE, the testing arm of Pearson Education, discovered malware on their Credential Manager System. Pearson VUE, the top global provider of computer testing, provides industry-wide tracking and testing services. Pearson VUE announced the data breach noting, “…an unauthorized third party placed malware on Pearson VUE’s Credential Manager System—which is used by adult learners to support professional certifications and licenses. The unauthorized third party improperly accessed certain information related to a limited set of our users.” The breach of a third-party certification manager like Pearson VUE is a serious concern for its clients like Cisco, Oracle, IBM, and others. While Oracle assured users its systems and information were not affected by the breach, Cisco limited the function of its Certifications Tracking System. By mid-December, Cisco announced the restoration of services and addition of “new safeguards…implemented to mitigate the risk of such an event occurring in the future.” As the incident fades in the blogosphere, the investigation of the breach is likely to continue. While Pearson VUE reported its Credential Manager System is a stand-alone, the hack exposed personal data, including passwords, that could be leveraged in the future by bad actors. The incident highlights the inherent risk of third-party vendors without adequate digital security. A network perimeter is only as secure as its weakest link—which is often a trusted partner with an untrustworthy connection. Said before and stated again, smaller players are often targeted for reasons that include:

  • Third-party vendors sometimes lack the IT or financial resources to reduce or eliminate cyber risk. This is not the case with Pearson VUE. The vendor suffered brand damage, questions about its tech, and the ability to offer secure services.
  • Few partnered networks engage in coordinated detection and response planning.
  • Third-party vendors, by design, are embedded in multiple partner networks. A breach of one ecosystem could lead to data loss in another.

The Pearson VUE hack was the last big third-party data breach of 2015. Make sure your third-party relationships are secure in 2021. Talk to Imprivata about secure vendor access solutions.