London-based education publisher Pearson agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including birth dates and email addresses.
According to the U.S. Securities and Exchange Commission, the data breach involved the theft of student data and administrator login credentials of 13,000 school, district, and university customer accounts.
In 2019, the publisher referred to a data privacy incident as a hypothetical risk in its semi-annual report, when, in fact, the 2018 cyber intrusion had already occurred, according to the SEC. And in a July 2019 media statement, Pearson stated that the breach may include birth dates and email addresses when it knew that such records were stolen. Pearson also said at the time that they had strict protections in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC said. The media statement also left out the fact that millions of rows of student data and usernames and hashed passwords were stolen.
Additionally, the SEC said that “Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.”
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC enforcement division’s cyber unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
While Pearson did not admit or deny the SEC’s findings, it agreed to pay a $1 million civil penalty.